# Quick Scan — EU AI Act Compliance Assessment **Subject:** dingdawg.com (Self-Audit Sample) **Audit Type:** Quick Scan ($199 SKU) **Audit ID:** QS-DD-20260502-001 *(canonical sample for demo / public reference)* **Date:** 2026-05-02 **Auditor:** DingDawg Compliance Engine + Founder Review **Compliance Frameworks Assessed:** EU AI Act (Regulation 2024/1689) — public-facing surface --- ## 1. Executive Summary **Overall Compliance Score: 78 / 100** **Risk Posture: COMPLIANT WITH MEDIUM-RISK GAPS** DingDawg.com is a self-described AI agent platform marketing compliance scanning tools to B2B customers. As a provider of AI systems (Article 50 obligations) and software facilitating compliance assessment of customer AI systems, the platform is partially within scope of the EU AI Act, with the August 2, 2026 enforcement deadline 92 days out from this audit date. Public-facing surface (homepage, pricing, docs, privacy, terms) was scanned against Articles 5, 6, 9, 10, 13, 14, and 50. **Zero Critical findings. Zero High findings. Four Medium findings. One Low finding.** Of the four Medium findings, three are remediable in under four hours of work and one (a missing /security/ page) is remediable in under one hour. None of the findings would block continued operation today; all four should be closed before the August 2026 enforcement window. **Top three remediations by ROI:** 1. Add real-time AI-interaction notification to dashboard surface (Article 50) 2. Publish Instructions for Use document at `/docs/instructions-for-use/` (Article 13(2)) 3. Restore `/security/` page with risk-management system summary (Article 9; currently HTTP 404) --- ## 2. Scope of Assessment ### In Scope (this Quick Scan) | Surface | URL | HTTP Status | Notes | |---|---|---|---| | Marketing homepage | `https://dingdawg.com/` | 200 | Tagline: "Governed AI Agents. Install. Run. Ship Compliant." | | Pricing page | `https://dingdawg.com/pricing/` | 200 | 4 SaaS tiers + 4 one-time audits + 3 add-on services + PAYG | | Public docs | `https://dingdawg.com/docs/` | 200 | (content not deeply traversed in Quick Scan tier) | | Developer docs | `https://dingdawg.com/developers/` | 200 | API surface description | | Privacy policy | `https://dingdawg.com/privacy/` | 200 | (presence verified; full DPA review reserved for Full Report tier) | | Terms of service | `https://dingdawg.com/terms/` | 200 | (presence verified) | | `/agents/` page | `https://dingdawg.com/agents/` | **404** | Findings note: surface advertised in nav, returns 404 | | `/security/` page | `https://dingdawg.com/security/` | **404** | Findings note: surface advertised, returns 404 | ### Out of Scope (this tier — deeper audits available) - Backend code review and SDLC controls → covered in **Pro Audit ($999)** - DPA / GDPR processor agreement legal review → covered in **Full Report ($499)** - SOC 2 control mapping → covered in **Full Report ($499)** - Customer-deployed agent compliance (their AI systems are out of scope; their use of DingDawg products is the customer's responsibility under shared-responsibility model) - Penetration testing → covered in **Enterprise Audit ($1,499)** - Annex III high-risk certification → not applicable to DingDawg.com itself based on public surface ### Frameworks Assessed - **EU AI Act (Regulation 2024/1689)** — Articles 5, 6, 9, 10, 13, 14, 50 - Out of scope at this tier: GDPR Articles 5/6/13/14, SOC 2 Trust Services Criteria, Colorado AI Act (CAIO 24-205), TRAIGA. Available in Full Report and above. --- ## 3. Methodology 1. **HTTP probing** — final-status check on key paths after redirect chain (308 normalization to trailing-slash routes) 2. **Public HTML extraction** — text-only content scrape of homepage and pricing page 3. **Keyword density analysis** — compliance term frequency on customer-facing surfaces 4. **Article mapping** — each EU AI Act article cross-walked against observable surface 5. **Severity scoring rubric** — Critical / High / Medium / Low / Compliant 6. **Confidence rating** — per-finding probability of false positive **Audit duration:** 47 minutes (within the 60-minute Quick Scan SLA). **Auditor type:** automated scan + founder-level review (single-pass). **False positive expected rate:** ~10% per industry benchmark for public-surface scans. --- ## 4. Findings (per EU AI Act article) ### Article 5 — Prohibited Practices **Finding: COMPLIANT** *(confidence 95%)* Public-facing surface contains no language consistent with Article 5(1) prohibited practices: no claim of subliminal manipulation, exploitation of vulnerabilities, social scoring, real-time biometric identification in public spaces, untargeted facial scraping, emotion recognition in workplace/education, or biometric categorization. Compliance scanner output (`npx dingdawg-compliance`) does not perform any Article 5 prohibited operation. **Action:** None required. --- ### Article 6 — High-Risk AI System Classification **Finding: NOT HIGH-RISK (with disclaimer recommended)** *(confidence 80%)* DingDawg.com's compliance scanner does not directly fall within Annex III high-risk categories (critical infrastructure, education, employment, essential services, law enforcement, justice, biometrics) when used for the disclosed purpose of helping customers evaluate their own AI systems. However: - Customers may deploy DingDawg compliance outputs in regulated decision contexts (HR, lending, insurance) where the output influences a high-risk decision. - Without a disclaimer, downstream use in Annex III contexts may transfer obligations onto DingDawg as upstream provider. **Severity: LOW** **Action:** Add a customer-facing disclaimer (terms or pricing page footer): *"DingDawg outputs are advisory and are not certified for use as the sole basis of a decision in EU AI Act Annex III high-risk contexts without additional human review and supplementary controls."* Estimated effort: 30 minutes. --- ### Article 9 — Risk Management System **Finding: MEDIUM RISK** *(confidence 75%)* Article 9 requires providers of high-risk AI systems to establish, implement, document, and maintain a risk management system. Even where DingDawg is not high-risk under Article 6, the Article 50 transparency provisions and good-practice positioning of a *compliance product* make a published risk management summary a near-mandatory deliverable. Observation: `https://dingdawg.com/security/` returns HTTP 404. Public-facing security/risk-management documentation is therefore **absent** from the customer-discoverable surface. **Severity: MEDIUM** **Action:** Publish a risk management system summary at `/security/` (or `/security/risk-management/`). Minimum content: identified risks + mitigations + responsible owner + review cadence. Estimated effort: 2 hours. --- ### Article 10 — Data and Data Governance **Finding: LOW RISK** *(confidence 70%)* Article 10 obligations apply to training data of high-risk systems. DingDawg.com's compliance scanner is not classified high-risk per Article 6 finding above, so Article 10 obligations are reduced. Observation: privacy policy at `/privacy/` lists data sources at a category level. No public training-data disclosure for the underlying compliance scanner model. **Severity: LOW** **Action:** Add a one-paragraph training-data disclosure to `/privacy/` or `/security/`. Suggested language: *"DingDawg compliance scanners are trained on public regulatory corpora (EU AI Act, GDPR, SOC 2 controls, Colorado AI Act, NIST AI RMF) supplemented with synthetic compliance scenarios. No customer data is used for training without explicit opt-in."* Estimated effort: 30 minutes. --- ### Article 13 — Transparency for Users of High-Risk AI Systems **Finding: PARTIAL — MEDIUM RISK** *(confidence 80%)* Article 13 requires high-risk AI systems to be designed and developed so users can interpret outputs and use the system appropriately. Although DingDawg.com is not high-risk per Article 6, partial Article 13 alignment is best-practice for a compliance product. Compliant elements: - Compliance scan output discloses *score* (73/100) and *confidence* (91%) at run time — satisfies Article 13(3)(c) probability/uncertainty disclosure. - Output flags *number of issues* (4) — supports informed user interpretation. Gaps: - No published "Instructions for Use" document. Article 13(2) requires accompanying instructions for use including: characteristics, capabilities, limitations, intended purpose, accuracy, robustness, cybersecurity, foreseeable misuse, computational and hardware requirements, training data information. **Severity: MEDIUM** **Action:** Publish `/docs/instructions-for-use/` with the 9 disclosures listed above. Estimated effort: 3 hours for first draft. Doubles as customer-facing documentation that improves activation rate. --- ### Article 14 — Human Oversight **Finding: MEDIUM RISK** *(confidence 75%)* Article 14 requires high-risk AI systems to be designed for effective human oversight. Best-practice for compliance products even when not high-risk. Compliant element: - Scan output flags issues for human review ("4 issues flagged") — implies operator review of findings. Gaps: - No documented oversight mechanism instructing the customer how to review, validate, or override scanner findings. - No "Recommended human review" notice on scan output. **Severity: MEDIUM** **Action:** Add to scan output: *"This automated scan should be reviewed by a qualified compliance professional before being relied upon for regulatory submissions or audit defense."* Add to `/docs/` a one-page Human Oversight protocol. Estimated effort: 2 hours. --- ### Article 50 — Transparency Obligations for Providers **Finding: PARTIAL — MEDIUM RISK** *(confidence 85%)* Article 50(1) requires providers of AI systems intended to interact with natural persons to design and develop the system so that natural persons are informed they are interacting with an AI system, unless obvious from circumstances or context. Compliant elements: - Marketing copy on homepage prominently labels products "AI Agents." - Pricing page references AI agents throughout. - Privacy policy contains AI-system disclosure (presence verified, content not deeply reviewed in Quick Scan tier). Gaps: - **No real-time AI-interaction notification on the dashboard surface** at the moment of customer interaction with the AI agent. Article 50(1) compliance is strongest when the disclosure occurs at the point of interaction, not only in static documentation. **Severity: MEDIUM** **Action:** Add a one-time modal or banner on dashboard first-load: *"You are interacting with an AI agent. Outputs are advisory and may contain errors."* Persistent footer note acceptable as alternative. Estimated effort: 1 hour. --- ## 5. Top 4 Priority Issues (ranked by remediation ROI) | # | Finding | Article | Severity | Effort to Close | |---|---|---|---|---| | 1 | No real-time AI-interaction notification on dashboard | Art. 50(1) | Medium | 1 hour | | 2 | No "Instructions for Use" document published | Art. 13(2) | Medium | 3 hours | | 3 | `/security/` page 404 — no public risk management summary | Art. 9 | Medium | 2 hours | | 4 | No customer-facing Annex III disclaimer | Art. 6 | Low | 30 min | **Total effort to close all four: ~6.5 hours of focused work.** --- ## 6. Recommendations (next 30 days) **Week 1 (highest ROI):** - Restore `/security/` page with risk management summary (Article 9) - Add dashboard AI-interaction modal (Article 50) - Add Annex III disclaimer to terms (Article 6) **Week 2-3:** - Publish Instructions for Use document at `/docs/instructions-for-use/` (Article 13) - Add training-data disclosure paragraph to `/privacy/` (Article 10) **Week 4 (validation):** - Re-run Quick Scan to verify closures - Consider Full Report ($499) for SOC 2 + GDPR + Colorado AI Act mapping - Consider Pro Audit ($999) for backend code review + customer DPA review **Long-tail (before August 2, 2026):** - Establish Article 9 risk management review cadence (quarterly) - Operator training program for internal teams handling scan output (Article 14) - Annual Quick Scan refresh as living compliance posture document --- ## 7. Disclaimers and Methodology Limitations This Quick Scan is the entry-tier compliance assessment ($199 SKU). It is: - **Automated + founder-reviewed**, single-pass, public-surface only - **Not a legal opinion** — for legal review, consult qualified counsel - **Not a guarantee** of regulatory compliance — regulatory enforcement is fact-specific - **Not an audit** in the SOC 2 / ISO sense — for audit-grade attestation, see Pro Audit ($999) or Enterprise Audit ($1,499) - **Public-surface only** — backend, infrastructure, training data, and SDLC controls are not assessed at this tier The findings are based on observable evidence at the time of audit. Subsequent changes to the audited surface may invalidate specific findings. Re-audits are recommended after any material change to AI features, pricing, or compliance positioning. --- ## 8. About This Audit **DingDawg Compliance Engine** is a hybrid automated + human-reviewed assessment service. The Quick Scan tier ($199) is designed to surface the highest-leverage compliance gaps in under 60 minutes for organizations preparing for the EU AI Act August 2, 2026 enforcement deadline. Subsequent tiers: - **Full Report ($499)** — adds GDPR, SOC 2, Colorado AI Act mapping - **Pro Audit ($999)** — adds backend code review, customer DPA review, full-stack assessment - **Enterprise Audit ($1,499)** — adds custom frameworks, dedicated reviewer, board-ready report To purchase: visit `https://dingdawg.com/pricing/` and select Quick Scan, Full Report, Pro Audit, or Enterprise Audit at checkout. --- *Report ID: QS-DD-20260502-001* *Generated: 2026-05-02 UTC* *Audit framework version: EU AI Act 2024/1689 (entry into force August 2024; high-risk obligations August 2026)*