EU AI Act
This page outlines the compliance framework of the IONOS AI Model Hub in relation to the European Union's AI Act. It details our responsibilities as a service operator, the different roles we hold under the Act, and the technical foundation our platform provides for you to meet your own regulatory obligations.
Service Infrastructure and Data Protection
A core component of AI Act compliance is data governance and security. Our platform is built on the following principles:
EU Data Residency and Sovereignty: All AI Model Hub services, including model inference endpoints and managed vector databases, are hosted in IONOS Cloud's ISO 27001-certified data centers in Germany.
GDPR Compliance: All data processing is fully compliant with the EU's General Data Protection Regulation (GDPR / DSGVO).
Data Processing: Customer data, including API-sent prompts, inputs, and any documents uploaded for Retrieval-Augmented Generation (RAG), is processed exclusively for the provision of the service. In line with our Data Processing Agreement (DPA), this data is not used for training, fine-tuning, or otherwise improving any AI models. For a detailed breakdown of our data handling policies, please see our Data Handling documentation.
Our roles and responsibilities under the EU AI Act
Under the AI Act, an entity's obligations depend on its role in the value chain. IONOS Cloud operates in two distinct roles depending on the specific model being used.
Role 1: Transparent Distributor (Unmodified Models)
For the majority of open-source models available on the hub, IONOS Cloud acts as a "distributor" or intermediary.
In this role, our primary obligation is to ensure transparency in the supply chain. We fulfil this by:
Providing Model Documentation: Each model has a dedicated documentation page that provides a summary and specifications.
Linking to Authoritative Sources: These pages include direct links to the original developer's official website, model card, and license. This allows you to access the authoritative technical information — including details on training data, capabilities, and limitations — as published by the original developer. You should use this original documentation to inform your own compliance assessment.
Role 2: AI "Provider" (IONOS Cloud-Modified Models)
For certain models, IONOS Cloud performs modifications, such as FP8 quantization and makes these models available under the IONOS Cloud brand.
This action classifies IONOS Cloud as an AI "Provider" for that specific model under the Act's definitions. As a Provider, we assume additional transparency obligations for our modification:
Traceability: Our documentation clearly identifies the original base model and the nature of the modification we performed.
Technical Documentation: We publish our own technical documentation for the modified model. This includes the results of our internal performance and quality benchmarks, which serve to verify that our quantization process delivers performance efficiencies while maintaining the model's accuracy and robustness relative to the original.
Enabling your compliance as a Developer and Deployer
As a user of the AI Model Hub, you will be a "deployer" or may become a "provider" of your own AI system. You are responsible for conducting your own risk assessment to determine if your specific application qualifies as Limited-Risk or High-Risk under the Act's criteria.
Our platform provides the necessary technical infrastructure to help you implement the controls required for your specific classification.
If your system (e.g., a general-purpose chatbot) is deemed limited-risk, your main obligation is transparency. Our standard REST APIs are designed to integrate into your application, allowing you to build the required user notifications (e.g., "You are interacting with an AI").
If your application's use case falls into a high-risk category (e.g., in employment, credit, or education), you have significant obligations. The AI Model Hub provides the flexible infrastructure to help you meet them:
Data Governance: Our managed vector database services give you full control over the data you use for RAG. You remain responsible for the quality, relevance, and bias-checking of your data; our platform ensures it is stored and processed securely within our German data centers.
Logging and Traceability: The AI Act requires that high-risk systems maintain event logs. While IONOS Cloud does not provide a pre-configured AI Act logging template, our API-first platform allows you to log all API requests and responses using your own logging solutions to build a compliant audit trail.
Human Oversight: High-risk systems must be designed for effective human oversight. Our APIs serve as flexible building blocks, allowing you to design and implement your own "human-in-the-loop" workflows, such as routing an AI-generated output for human approval within your application logic.
Summary of our Compliance Framework
The IONOS AI Model Hub provides a secure, EU-based foundation for AI development that is compliant with the GDPR. We operate with transparency by clearly defining our role under the EU AI Act for each model, either as a distributor providing access to the original developer's documentation or as a provider documenting our own modifications. This clear distinction, combined with our platform's technical capabilities, is designed to support customers in meeting their own downstream compliance obligations as deployers or providers of AI systems.
Last updated
Was this helpful?