--- title: "Custom AI for the General Counsel" description: "A General Counsel reading an AI vendor contract is looking for four things: a defensible posture under the EU AI Act and GDPR, IP-clean training data, indemnity language that survives a copyright or d" url: https://impetora.com/for/clo role: "General Counsel" audience: "General Counsel" trace_spine: "Citations and Evidence" author: Impetora --- # Custom AI for the General Counsel > Audience: General Counsel. TRACE spine: Citations and Evidence. A General Counsel reading an AI vendor contract is looking for four things: a defensible posture under the EU AI Act and GDPR, IP-clean training data, indemnity language that survives a copyright or data-subject claim, and a regulator-pack that exists before launch and not after the first complaint. Impetora builds to that brief by default. EU AI Act Article 99 sets fine ceilings up to EUR 35 million for prohibited-practice breach. GDPR Article 83(5) sets fines up to 4 percent of global annual turnover. Annex IV requires nine technical-documentation chapters for high-risk systems. ## What GCs actually care about ### AI Act conformity assessment High-risk systems need documented conformity assessment, EU declaration, CE marking. Building these in is cheaper than retrofitting. ### GDPR Article 22 exposure Decisions producing legal or similarly significant effects cannot be made solely on automated processing without explicit safeguards. ### Training-data IP posture Foundation models trained on contested data create derivative-works claims and licence-violation risk. ### Output IP and ownership Who owns AI-generated output, what licence the foundation-model provider grants, and how it interacts with customer contracts. ### Sub-processor disclosure Every party touching personal data disclosed under DPA with legal basis, residency, contractual posture. ### Indemnity and liability Contract chain has to push liability for wrong, biased, defamatory, or copyright-infringing outputs to a party that can carry it. ## TRACE pillar focus For GCs, the spine is **Citations and Evidence**. See https://impetora.com/methodology for the full TRACE framework. ## Use cases ### Document processing Structured extraction with citation chain attached. Audit log captures source clause behind every value. ### Decision support Recommendations with evidence chain attached, designed around Article 22 safeguards and human-in-the-loop sign-off. ### Customer support automation Resolution drafts with refusal rules tuned to your policy and a reasoning trail your legal team can audit. ### Internal knowledge AI Grounded answers across policies, regulator guidance, historical opinions. Permission-scoped retrieval respecting privilege and confidentiality. ## What GCs need from a partner, and what we ship ### Defensible audit trail Immutable, append-only log of every input, retrieved context, model version, output. Replayable on demand. ### Annex IV technical documentation Nine-chapter pack: system description, design, monitoring, performance metrics, risk management, post-market monitoring, change log, EU declaration, instructions for use. ### GDPR Article 22 design pattern Explicit consent, human review surfaces, contestation path. Human-in-the-loop in by default where the workflow does not require full automation. ### IP-clean training data posture Foundation-model providers contracted with no-training clauses. Documented training-data position. Provenance log on customer-supplied data. ### Sub-processor contracts DPA with sub-processor list, residency map, legal basis per category, notification terms when list changes. ### Model card and disclosure Published model card describing capabilities, limitations, evaluation results, intended use. ## GC questions, answered ### How do you handle GDPR Article 22? Workflows classified against Article 22 in Discovery. Where in scope, we design a meaningful human-in-the-loop surface where the reviewer sees reasoning, retrieved evidence, and alternative options. EDPB 2024 guidelines reflected. Audit log captures human approval as first-class event. ### Is the training data IP-clean? We do not train foundation models. Foundation-model providers contracted under no-training clauses on your data. Where you supply data for fine-tuning or retrieval, provenance log and licence record per source. Refuse to ingest data without documented licence. ### What about derivative-works and copyright claims? Output ownership and infringement risk is a function of foundation-model provider's terms, your input, and use case. Human reviewer kept in the signing seat for original creative work. Output-licence terms flow through to your customer agreement. Where provider offers indemnity, we use it. ### What does the regulator-pack contain? For high-risk: Annex IV documentation (9 chapters), EU declaration of conformity, conformity-assessment evidence (Annex VI or VII route), risk-management file, data-governance documentation, human-oversight design, post-market monitoring plan, audit-log schema. Limited-risk: proportionate transparency notice, model card, audit-log schema, DPIA where Article 35 triggers. ### How do you handle indemnity and liability? Push indemnity to the party that can carry it: foundation-model provider for training-data IP, us for engineering negligence, you for use-case decisions and human reviewer sign-off. Contract names, caps, and exposes the audit log as evidence basis. ## Contact Email: info@ainora.lt Discovery: https://impetora.com/for/clo#discovery-call