Ensoul

EU AI Act Compliance

Last updated: April 2026

1. Overview

Ensoul is committed to compliance with the European Union Artificial Intelligence Act (Regulation (EU) 2024/1689), which establishes transparency obligations for providers and deployers of AI systems. This page documents how Ensoul meets the requirements of Article 50, which governs transparency for AI systems that generate synthetic content.

Article 50 transparency obligations become enforceable on August 2, 2026. Ensoul is proactively implementing these requirements ahead of the deadline.

This page is intended for Ensoul customers (deployers), regulators, and anyone seeking to understand how Ensoul handles AI-generated content transparency.

2. Risk Classification

Under the EU AI Act's four-tier risk framework, Ensoul is classified as a limited-risk AI system. This classification applies because Ensoul generates synthetic text content (persona responses) and operates systems that interact with natural persons.

Ensoul does not make decisions about individuals' access to employment, credit, education, or essential services (which would constitute high-risk use). Ensoul does not perform biometric categorization or emotion recognition. All personas generated by Ensoul are synthetic and do not represent real individuals.

Deployer Responsibility

If you use Ensoul personas in contexts that involve decisions affecting individuals (hiring, credit, healthcare triage), your specific deployment may be classified as high-risk at the deployer level. You are responsible for conducting your own risk assessment for your use case. See our Acceptable Use Policy for guidance on responsible deployment.

3. Article 50 Transparency Obligations

As a provider of an AI system generating synthetic text content, Ensoul's primary obligations fall under Article 50(1) and Article 50(2) of the EU AI Act.

3.1 AI Interaction Disclosure (Article 50(1))

Article 50(1) requires that natural persons are informed when they are interacting with an AI system. Ensoul addresses this through the following mechanisms, which are rolling out on the timeline in Section 8:

  • API responses carry metadata identifying the content as AI-generated
  • The X-AI-Generated HTTP header is returned by the persona inference pipeline, with coverage expanding to all API responses in Q2 2026
  • Response payloads carry a provenance object with generation metadata
  • Documentation and SDK guides instruct deployers on their disclosure obligations to end users

3.2 Machine-Readable Marking (Article 50(2))

Article 50(2) requires that outputs of AI systems generating synthetic content are marked in a machine-readable format and detectable as artificially generated. Ensoul addresses this through a multi-layer provenance system. The cryptographic audit trail (Layer 2) is live today; provenance metadata coverage and the public verification API (Layers 1 and 3) are rolling out per the timeline in Section 8:

Layer 1: Provenance Metadata

API responses carry structured provenance metadata identifying Ensoul as the generating system, the model used, and a timestamp, in both HTTP headers and the response body. Coverage is expanding to all endpoints in Q2 2026 (see Section 8).

HTTP/1.1 200 OK
X-AI-Generated: true
X-Generated-By: ensoul
X-Content-Provenance: ensoul/v1

{
  "response": "...",
  "provenance": {
    "ai_generated": true,
    "provider": "ensoul",
    "model": "claude-sonnet-4-6",
    "persona_id": "p_abc123",
    "timestamp": "2026-04-09T12:00:00Z",
    "audit_event_id": "evt_def456"
  }
}

Layer 2: Cryptographic Audit Trail

Every persona interaction is recorded in a Merkle tree-based audit trail. Communication events are hashed (SHA-256) and accumulated into binary Merkle trees. The root hash of each tree is committed and signed, creating a tamper-evident record of all generated content.

  • Each response is assigned an audit_event_id linked to a Merkle tree leaf
  • Merkle proofs can verify that a specific response was generated by Ensoul at a specific time
  • Tree roots are signed using ECDSA (secp256k1), providing non-repudiation
  • Tree roots will be published to the Ensoul transparency log (planned, Q2 2026)

Layer 3: Verification API (planned, Q2 2026)

Ensoul will provide a free verification endpoint that allows anyone to confirm whether a piece of content was generated by Ensoul, satisfying the Code of Practice requirement for providers to offer detection tools. The planned interface:

POST /v1/verify
{
  "audit_event_id": "evt_def456",
  "content_hash": "sha256:a1b2c3..."
}

Response:
{
  "verified": true,
  "generated_at": "2026-04-09T12:00:00Z",
  "merkle_proof": { ... },
  "commitment_signature": "..."
}

4. Guidance for Deployers

If you use Ensoul to generate content that is presented to end users, you have independent obligations under the EU AI Act. The specific obligations depend on your use case.

4.1 Deepfake Disclosure (Article 50(4))

If you use Ensoul personas in contexts where the generated content could be mistaken for human-authored content (chatbots, social media, customer service), you must disclose that the content is AI-generated. Recommended approaches:

  • Display a visible label (e.g., "AI-generated response") alongside persona content
  • Include disclosure in your terms of service and UI
  • Pass through Ensoul's provenance metadata to your end users where appropriate

4.2 Public Interest Text (Article 50(4))

If you use Ensoul to generate text that is published with the purpose of informing the public on matters of public interest (news, policy analysis, public health information), you must disclose that the text was AI-generated. This obligation does not apply if the content undergoes human editorial review and a natural or legal person holds editorial responsibility.

4.3 Creative and Fictional Works (Article 50(4) Exemption)

If Ensoul personas are used in evidently artistic, creative, satirical, fictional, or analogous works (games, interactive fiction, creative writing), the disclosure obligation is reduced. You must still acknowledge the use of AI-generated content, but the disclosure should not hamper the display or enjoyment of the work. A credits section or about page is sufficient.

4.4 Research and Internal Use

Research, development, and prototyping activities conducted before placing a product on the market are generally outside the scope of the EU AI Act (Recital 22). However, if you deploy Ensoul-generated content in published research, we recommend disclosing the use of synthetic personas in your methodology section.

5. Technical Architecture

Ensoul's transparency infrastructure is built on cryptographic primitives that go beyond the minimum requirements of Article 50. This architecture was designed for provenance and auditability from the ground up.

5.1 Merkle Tree Audit Trail

Every persona interaction generates a communication event that is hashed and inserted into a binary Merkle tree. Trees are committed when they reach capacity (1,024 leaves) or on demand. Each commitment includes the Merkle root, event count, and time range.

This design allows efficient verification of individual events without revealing the content of other events in the same tree. A Merkle proof for a single event is O(log n) in size, regardless of the total number of events.

5.2 Decentralized Identifiers (DIDs)

Each Ensoul persona is assigned a Decentralized Identifier (DID) following the W3C DID specification. DIDs provide a cryptographically verifiable identity for each persona, independent of any central authority. Verification methods support both Ed25519 and ECDSA key types.

5.3 Verifiable Credentials

Persona attributes, behavioral attestations, and trust scores are issued as Verifiable Credentials following the W3C specification. Each credential includes a cryptographic proof that can be independently verified. This creates a chain of accountability from persona creation through every interaction.

5.4 Content Hashing

Response content is hashed (SHA-256) at the point of generation. The content hash is stored in the audit trail, but the content itself is not. This provides tamper-evidence (you can verify a response has not been altered) while preserving the privacy of communication content.

6. Scope and Limitations

For clarity, the following describes what Ensoul's transparency measures do and do not cover:

Covered

  • + AI-generated text identification
  • + Machine-readable provenance metadata
  • + Cryptographic audit trail for all interactions
  • + Verification API for content authenticity
  • + Persona identity via DIDs
  • + Deployer guidance and documentation

Not Covered

  • Text watermarking (not technically feasible for short-form persona responses without degrading quality)
  • C2PA manifests for text (C2PA is designed for media files; Ensoul uses provenance certificates instead)
  • Deployer-side disclosure enforcement (deployers are responsible for their own labeling obligations)

7. Relationship to Data Protection

Ensoul's transparency obligations under the EU AI Act are complementary to, and do not replace, obligations under the General Data Protection Regulation (GDPR). For details on how Ensoul processes personal data, see our Privacy Policy and Data Processing Agreement.

Ensoul generates synthetic persona data that does not relate to identified or identifiable natural persons. Synthetic persona data is not personal data under GDPR. However, if a deployer inputs real personal data into persona definitions, that data is subject to applicable data protection law.

8. Compliance Timeline

Ensoul is implementing Article 50 requirements on the following timeline:

DateMilestoneStatus
Q1 2026Merkle tree audit trail for all persona interactionsComplete
Q1 2026DID-based persona identity and verifiable credentialsComplete
Q2 2026Provenance metadata on all API responsesIn Progress
Q2 2026ECDSA signing of Merkle tree commitmentsIn Progress
Q2 2026Public verification API endpointPlanned
Q2 2026Transparency log for signed commitmentsPlanned
Q3 2026SDK integration guides for deployer disclosurePlanned

9. EU Code of Practice

The European Commission is developing a Code of Practice on marking and labeling AI-generated content, with the final version expected in mid-2026. Companies that sign and implement the Code receive a presumption of compliance with Article 50.

Ensoul is monitoring the Code of Practice development process and aligning our technical implementation with its draft requirements. This page will be updated as the final Code is published.

10. Contact

For questions about Ensoul's EU AI Act compliance, contact us at compliance@ensoul-ai.com.

For regulatory inquiries from EU authorities, please use the same address. We commit to responding within 10 business days.

11. Legal References