Skip to content

docs: EU AI Act compliance guide for Haystack deployers#10891

Open
BipinRimal314 wants to merge 6 commits intodeepset-ai:mainfrom
BipinRimal314:docs/eu-ai-act-compliance
Open

docs: EU AI Act compliance guide for Haystack deployers#10891
BipinRimal314 wants to merge 6 commits intodeepset-ai:mainfrom
BipinRimal314:docs/eu-ai-act-compliance

Conversation

@BipinRimal314
Copy link

@BipinRimal314 BipinRimal314 commented Mar 20, 2026

Summary

  • Adds a deployer-facing guide covering EU AI Act obligations for Haystack pipeline operators
  • Distinguishes framework provider (deepset) obligations from deployer obligations under Articles 25-27
  • Maps Haystack's existing tracing/logging features to Article 12 record-keeping requirements
  • Includes Mermaid data flow diagram with GDPR role classifications

Why this matters

deepset is Berlin-based. Haystack is used by EU government organizations. The August 2, 2026 deadline for high-risk AI
system compliance is approaching. Deployers building RAG pipelines, agents, and search systems with Haystack need
guidance on which articles apply and what Haystack already covers.

What's covered

  • Risk classification: when a Haystack pipeline becomes high-risk (depends on use case, not framework)
  • Data flow mapping: OpenAI and HuggingFace as processors, self-hosted alternatives as controller
  • Article 11: Annex IV section-by-section guide showing what auto-populates from code vs what deployers must add
  • Article 12: table mapping Haystack's Tracer, LoggingTracer, and component metadata to specific requirements
  • Article 13: transparency obligations for RAG pipelines (source attribution, hallucination disclosure)
  • GDPR: legal basis, DPA requirements, RoPA generation, DPIA triggers

How this was produced

Codebase scanned using AI Trace Auditor (open source, Apache 2.0).
Scanner analyzed 573 files, found 2 AI providers, 15 model identifiers, 3 external services. Regulatory mapping and
deployer guidance written and reviewed manually.

Test plan

  • Mermaid diagram renders correctly on GitHub
  • Links to Haystack tracing docs are valid
  • No factual errors in regulatory citations

@BipinRimal314
docs: Add EU AI Act compliance guide for Haystack deployers
f0e0e18 
Covers risk classification, data flow mapping (Mermaid diagram),
Article 11 (Annex IV documentation), Article 12 (record-keeping
mapped to Haystack's tracing), Article 13 (transparency), and
GDPR considerations for pipeline deployers.

Scanner analysis: 573 files, 2 AI providers, 15 model identifiers,
3 external services. Data flow diagram auto-generated, regulatory
mapping manually reviewed.
@BipinRimal314 BipinRimal314 requested review from a team as code owners March 20, 2026 20:23
@BipinRimal314 BipinRimal314 requested review from julian-risch and removed request for a team March 20, 2026 20:23
@vercel
Copy link

vercel bot commented Mar 20, 2026

@BipinRimal314 is attempting to deploy a commit to the deepset Team on Vercel.

A member of the Team first needs to authorize it.

@CLAassistant
Copy link

CLAassistant commented Mar 20, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@julian-risch julian-risch Awaiting requested review from julian-risch julian-risch is a code owner automatically assigned from deepset-ai/open-source-engineering

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BipinRimal314 @CLAassistant