EU AI Act – Overview & Roles

Purpose and scope

This page describes how Clerk.io's AI-powered features (Search, Recommendations, Email, Audience, and optional Chat/LLM-assisted features) are positioned under the EU AI Act, what we as the provider commit to, and what our customers (deployers) should do when implementing our services on their sites.

Clerk.io provides AI systems for retail e‑commerce personalization. These are generally considered limited-risk systems. Some optional features use a foundation model provided by a sub-processor (OpenAI) for chat assistance or email draft generation; these are strictly optional and can be disabled at any time.

For personal data and GDPR obligations, please refer to:

• Data Processing Agreement
• Sub-processors
• Privacy Policy

Intended purpose and out-of-scope uses

Clerk.io systems are intended to rank, retrieve and personalize product content and communications to improve relevance for shoppers in online retail.

Out-of-scope uses include any Annex III high-risk scenarios (for example, creditworthiness or employment decisions, education access, or essential public services eligibility). Customers must not use Clerk.io systems for such purposes. Where uncertainty exists, contact us for guidance.

Roles and responsibilities

Clerk.io (provider)

We design, develop, operate and support the AI systems that power search, recommendations, and related features. We commit to:

• Provide accurate product documentation and integration guidance; see Products
• Maintain security, logging and incident response processes; see ISO 27001 and SOC 2
• Disclose and manage sub‑processors with prior notice; see Sub-processors
• Offer configuration, oversight and kill-switch controls to customers; see Products
• Monitor performance and address material issues; see Ops & Monitoring

Customer (deployer)

You integrate, configure and operate Clerk.io’s features on your site and remain responsible for:

• Lawful basis, transparency and user choices in your context; see your own privacy notices and our Privacy Policy
• Ensuring your use fits the intended purpose and does not fall into prohibited high‑risk uses
• Setting up human oversight and approval flows (e.g., for marketing emails); see Products
• Enabling logging/exports needed for your compliance; see Ops & Monitoring

Foundation model usage (optional features)

Certain optional features may use a foundation model provided by OpenAI (as a sub‑processor) for tasks like AI chat assistance or email draft generation. The data categories and controls for these features are described in:

• Privacy Policy – AI features powered by OpenAI
• Sub‑processors – Large Language Model Inference

If you do not enable these features, no data is shared with OpenAI.

High-level controls and safeguards

• Security and governance: see ISO 27001
• Controls and monitoring: see SOC 2
• Data processing roles, transfers (including SCCs): see DPA

For operational expectations and evaluation practices, continue to Ops & Monitoring.