AI Disclosure

This document fulfills the transparency obligations of the EU AI Act (Regulation (EU) 2024/1689), Article 13, for the SOSA DevOps desktop application. It is written in plain language for any user — not only EU users, not only legally trained users. Cross-reference: Privacy Policy and Terms of Service.

Local LLM Chat (Synapsis module) — conversational interface to a locally-running LLM via Ollama. You choose the model. Supported examples: Llama 3.x, Qwen 2.5, Mistral, Phi 3/4, Gemma, DeepSeek-R1. Retrieval-Augmented Generation (RAG) — indexes your documents locally using a local embedding model (nomic-embed-text via Ollama). SQLite nearest-neighbour search. All on-device. Persona system — structured prompt-prefix templates that shape the LLM's tone and constraints. User-editable. Not a separate AI model. Privacy Filter — on-device PII scrubber using GLiNER and Presidio. Runs before any AI query going to an external provider. Detects credentials, API keys, IP addresses, and payment data. Local query scrubbing ships in v1.1. External API providers — architecture supports Claude, DeepSeek, Kimi, Brave Search, Tavily. None are wired in v1.0. All tabs show Disabled. First provider (DeepSeek) ships in v1.1+. Agentic routing pipeline — designed and documented but not user-facing in v1.0. v1.0 chat is single-turn LLM chat with optional RAG.

All AI processing in v1.0 happens locally on your device. Your prompt is sent to 127.0.0.1:11434 — a loopback address that does not produce a packet on any network. No prompt or response leaves your device. You can verify this with any network monitor. Models do not learn from you. Ollama performs inference only; weights are frozen at the version you pulled. Your prompts are not sampled or fed back to the model's author for retraining. The only systematic additions to your prompt are the persona prefix you have chosen and the RAG context you have configured. There is no covert system prompt extracting data from your input.

Every AI action is logged on your device. Vault A (audit-chain.jsonl) — cryptographic seal per event. Contains timestamps, event types, character counts, and content hashes — never readable content. Tamper-evident: any modification breaks the chain. Access: Tools → Open Audit Vault. Vault B (interaction-log.jsonl) — readable interaction log. Contains your prompts, AI responses, and RAG chunks, with model name, token counts, and latency. Access: Tools → Open Interaction Log. Export per session in TXT, PDF, or JSONL. Delete per session with a type-to-confirm gate (atomic rewrite). The TransparencyNotice badge — AI-powered · Actions logged — is always visible.

Right to know when AI is in use: the model name is shown in every chat turn. The Synapsis module always identifies itself as AI. Right to human oversight: no auto-execute path exists in v1.0. All AI Output requires your explicit action before anything happens. Right to explanation: model visible per turn; persona attribution visible in settings; RAG chunks visible in Vault B with source document path. Right to export AI operation history: per-session export from the Vault B viewer in TXT, PDF, or JSONL. Right to delete: per-session Vault B delete; full removal by uninstalling and deleting the application data directory. Right to lodge a complaint: EU users may complain to the AI Office or their data protection supervisory authority.

SOSA DevOps does not bundle, host, or distribute LLM weights. Models are installed by you via Ollama. Common licenses: — Llama 3.x (Meta) — Llama Community License — Qwen 2.5 (Alibaba) — Qwen Research License or Tongyi Qianwen License — Mistral (Mistral AI) — Apache 2.0 or Mistral Research License — Phi 3/4 (Microsoft) — MIT License — Gemma (Google) — Gemma License — DeepSeek-R1 (DeepSeek) — MIT License — nomic-embed-text (Nomic AI) — Apache 2.0 You are responsible for license compliance with the model you have pulled. The in-application catalog shows model metadata; the authoritative license is the one published by the model's author.

SOSA DevOps AI features are classified as limited-risk under the EU AI Act. This triggers the transparency obligation under Article 13, which this document satisfies. SOSA DevOps is not a foundation model. We do not train, fine-tune, or distribute models. The application is not used for any Annex III high-risk application: not education access, employment decisions, essential services, law enforcement, biometric identification, migration control, justice administration, or critical infrastructure.

The Software is not authorised, validated, or warranted for: — Medical advice, diagnosis, or clinical decision support — Legal advice or contract drafting for execution — Financial trade decisions or investment advice — Safety-critical system control or any system whose failure could cause physical harm — Biometric identification or surveillance — Regulated content moderation — Decisions affecting an individual's access to essential services, education, employment, or credit If your use case appears in this list, we recommend professional human review before any AI-influenced decision is acted on.

v1.0 ships with no external API providers wired. No code path in the application sends a prompt, response, or RAG context to any third-party AI service. The External Providers tab shows every provider as Disabled. When external providers are wired in v1.1+, this document will be revised to disclose: the provider's identity and jurisdiction, the provider's privacy and AI policies, the data sent, the Privacy Filter preflight stage, and the logging behaviour. The first provider on the roadmap is DeepSeek.

AI-specific questions: [email protected] Privacy questions: [email protected] Legal questions: [email protected] Security disclosure: [email protected] If you are an EU resident exercising rights under the AI Act, indicate that in your email so we can route it appropriately.