Skip to main content

ISO 42001 & EU AI Act

WeCheck operates in high-stakes environments — hiring, immigration, legal discovery — where AI-generated insights can directly influence decisions affecting people's lives. This page explains the regulatory standards WeCheck aligns with, what they require, and what they mean for your organization when using the platform.

ISO 42001 — AI Management Systems

ISO 42001 is the international standard for Artificial Intelligence Management Systems (AIMS). It is to AI what ISO 27001 is to information security: a framework for governing how AI systems are developed, deployed, and monitored responsibly.

Key requirements of ISO 42001 include:

  • Risk assessment — Identifying and managing risks introduced by AI systems before and during deployment
  • Transparency — Documenting how AI models make decisions and what data they consume
  • Human oversight — Ensuring human professionals remain in control of consequential decisions
  • Continuous monitoring — Tracking AI system performance and bias over time
  • Incident response — Having a process for handling AI errors or unexpected outputs

WeCheck actively pursues ISO 42001 certification. For enterprise customers in regulated industries, this certification provides independent assurance that WeCheck's AI systems are governed to international standards.

EU AI Act — Risk Classification

The EU AI Act is the European Union's landmark regulation on artificial intelligence. It classifies AI systems into four risk tiers and imposes obligations proportional to the risk level:

Risk TierExamplesObligations
Unacceptable RiskSocial scoring, real-time biometric surveillanceBanned outright
High RiskEmployment screening, credit scoring, immigration vettingStrict requirements: transparency, human oversight, audit logs
Limited RiskChatbots, deepfake detectionDisclosure obligations
Minimal RiskSpam filters, AI in gamesNo specific obligations

Where WeCheck fits: WeCheck is used in employment screening and immigration vetting — categories explicitly listed as High Risk under the EU AI Act. This means WeCheck must meet the strictest tier of obligations, including:

  • Logging every AI-assisted decision in an auditable trail
  • Providing clear explanations of how risk scores are generated
  • Ensuring a qualified human professional reviews and makes the final call — WeCheck cannot be used as the sole basis for a consequential decision
  • Conducting regular bias audits of the underlying models

What This Means for Your Organization

If your organization operates within the EU or processes data of EU residents, using an AI tool for employment, credit, or immigration decisions triggers obligations under the EU AI Act — for both the AI provider and the deploying organization.

WeCheck's compliance posture is designed to support your obligations:

Your ObligationHow WeCheck Supports It
Human oversight requirementWeCheck presents signals and scores; it never makes autonomous decisions
Audit trail requirementEvery scan is logged with timestamp, subject identifiers, and result summary
Transparency requirementConfidence scores and signal sources are visible in every report
Bias mitigation requirementWeCheck's models are regularly audited; risk flags are based on behavioral signals, not demographic attributes

GDPR & CCPA Alignment

Beyond AI-specific regulation, WeCheck is designed to align with the two most significant data privacy frameworks globally:

GDPR (General Data Protection Regulation — EU):

  • WeCheck processes only publicly accessible data (OSINT) — no personal data is collected covertly
  • Scan results can be exported and deleted on request, supporting data subject rights
  • Data processing agreements are available for enterprise customers operating under GDPR

CCPA (California Consumer Privacy Act — US):

  • WeCheck's OSINT scope aligns with CCPA's treatment of publicly available information
  • Enterprise customers can request data handling documentation for CCPA compliance audits

Transparency Commitments

WeCheck's approach to AI governance is built on three core commitments:

  1. Explainability — Every risk flag in a WeCheck report includes the source signal and the behavioral pattern that triggered it. There are no black-box outputs.

  2. Human-in-the-Loop — WeCheck is explicitly designed as a decision-support tool, not a decision-making tool. The platform surfaces patterns; your professionals draw conclusions.

  3. Bias Auditing — WeCheck's models are regularly reviewed to ensure that risk flagging correlates with behavioral signals and verifiable actions — not demographic attributes, protected characteristics, or cultural background.

For Legal & Compliance Teams

If your legal or compliance team needs documentation of WeCheck's regulatory alignment for vendor due diligence, contact your WeCheck account manager to request:

  • ISO 42001 certification status and scope
  • Data Processing Agreement (DPA) for GDPR compliance
  • Bias audit summary report
  • System transparency documentation for EU AI Act high-risk category requirements