Frequently Asked Questions

AICVS scans source code for EU AI Act compliance signals — observable markers that indicate whether your code meets EU Regulation 2024/1689 requirements. It uses a 5-layer analysis engine (Regex, AST, Statistical Stylometry, Structural, and Explainability) to surface those signals, map them to specific regulatory articles, and generate a cryptographic compliance certificate you can hand to an auditor.

Every scan produces: a score (0–100), a status (PASS / CONDITIONAL / FAIL), a findings list with EU article mappings, a plain-English narrative for non-technical reviewers, and a 6-step SHA-256 Merkle evidence chain sealed with a tamper-evident cert hash.

• 75–100 → PASS (green): Few or no compliance signals. Suitable for regulated environments without immediate remediation.
• 50–74 → CONDITIONAL (amber): Some signals detected. Human review required. Address findings before regulatory submission.
• 0–49 → FAIL (red): Multiple or critical signals. Must be remediated before use in any regulated AI system.

Each finding has a severity (CRITICAL, HIGH, MEDIUM, LOW) and a score impact. CRITICAL findings (e.g. exec() calls, AI authorship comments) subtract the most points. Scores are deterministic — the same file always produces the same result.

• Layer 1 — Regex (50+ rules): Pattern matching across all 15 languages. Catches AI API calls, LLM attribution comments, ML imports, auto-generated docstrings, TODO/FIXME placeholders.
• Layer 2 — Python AST: Structural analysis for Python. Detects exec()/eval(), monolithic classes (>10 methods), dead imports, low cyclomatic complexity.
• Layer 3 — Statistical Stylometry: Based on arXiv research (2411.04299, 2509.18880). Measures Shannon entropy of line lengths, identifier naming variance, blank-line burstiness, function length uniformity. AI-generated code produces statistically uniform patterns humans don’t.
• Layer 4 — Structural: Cross-file patterns, evidence chain integrity, documentation coverage.
• Layer 5 — Explainability: Every finding gets a plain-English explanation and reviewer note for non-technical auditors.

Optional Layer 6: STAT-008 AI-enhanced perplexity scoring (Pro+ opt-in). Sends code to Anthropic API for semantic analysis. A privacy banner warns you before enabling. Off by default.

15 languages: Python, JavaScript, TypeScript, JSX, TSX, Go, Java, Rust, C#, Ruby, PHP, Swift, Kotlin, C, and C++.

• Free plan: Python, JavaScript, TypeScript only.
• Pro and above: All 15 languages.

Python has the deepest analysis (AST + regex + statistical). All others use regex + statistical. Full AST for Go, Java, and TypeScript is on the roadmap for Q3 2026.

The Merkle chain creates a tamper-evident audit record. If anything changes — filename, score, timestamp, org ID — the cert hash changes. An auditor can verify any certificate independently at aicvs.io/verify/{scan_id}.

• Step 1: SHA-256 hash of the file content
• Step 2: Identity hash (filename + scan_id + timestamp + version)
• Step 3: Provenance hash (step 1 + step 2 + score + classification)
• Step 4: EU mapping hash (step 3 + articles triggered)
• Step 5: Merkle root (steps 1–4 combined)
• Step 6: Certificate seal (merkle root + scan_id + version)

This meets Art.12 record-keeping requirements — it proves a scan happened, when it happened, and what was found, with cryptographic proof of non-alteration.

Those tools find security vulnerabilities. AICVS answers a different question: does this code meet EU AI Act compliance requirements, and can I prove it to a regulator?

Run AICVS alongside Snyk. They protect your code from bugs. AICVS protects your organisation from regulatory risk.

AI writing detectors analyse prose — sentence structure, vocabulary, tone. They cannot analyse source code imports, AST structure, or map findings to regulatory articles.

AICVS is built specifically for source code and is the only tool that:

• Runs deterministic, reproducible scans (same file = same result, always)
• Maps code signals directly to EU AI Act articles
• Generates a cryptographic evidence chain (not a probability estimate)
• Produces a verifiable, tamper-evident certificate accepted in audit processes

Building your own means: writing and maintaining 50+ regex rules across 15 languages, implementing AST analysis per language, keeping pace with EU AI Act enforcement guidance, building a cryptographic certificate chain, and designing audit-ready PDF outputs. AICVS is maintained full-time and updates as new AI tools emerge.

More importantly: your internal tool won’t have independent cert verification. AICVS certificates are verifiable at aicvs.io/verify/{scan_id} — third-party proof an auditor can check without trusting your infrastructure.

AICVS cannot detect clean AI-generated code with no observable markers. This is the state of the art across all tools — even the best academic detectors achieve ~82% F1 score (arXiv 2411.04299). If all markers are removed (comments stripped, variables renamed), AICVS will score it high — as will every other tool.

This is why we say “compliance signals”, not “AI detection”. A PASS result means no detectable signals were found — it’s evidence of a clean scan, not proof of human authorship.

• Organisation name, user name, scan timestamp (UTC)
• File analysed (name + SHA-256 hash — never the actual content)
• Compliance score and status
• Full findings table with severity, rule ID, line number, EU article, and remediation step
• EU AI Act article mapping summary
• Plain-English reviewer narrative
• The full 6-step evidence chain (each step’s hash)
• Verification URL for independent confirmation
• Version string and AICVS disclaimer

The PDF is suitable for Art.11 technical documentation packages, enterprise procurement due diligence, regulatory investigations, and academic misconduct proceedings.

It applies to you if:

• You place AI systems on the EU market — including digital services used by EU citizens, regardless of your incorporation country.
• You deploy AI in Annex III categories: credit scoring, HR screening, fraud detection, medical device software, critical infrastructure, public services.
• You use AI-generated code or ML models that make decisions affecting EU employees or customers.

For high-risk AI systems, providers must compile an Annex IV technical documentation package before market placement. It must include:

• General description of the AI system and intended purpose
• Description of the development process and elements
• Information on training, validation, and testing data (Art.10)
• Risk management documentation (Art.9)
• System version history and change log
• Art.14 human oversight measures assessment
• Art.15 robustness, accuracy, and cybersecurity measures

AICVS PDF certificates are designed to be slotted directly into Annex IV packages as the automated technical review evidence layer. They do not replace the full Annex IV package, but automate the most time-consuming part — per-file scanning evidence.

No. AICVS certificates are automated technical review evidence — supporting documentation, not a formal conformity assessment. Think of them like an automated penetration test report: it supports your security claim but doesn’t replace a manual pentest.

They are suitable for: Art.11 technical documentation packages, enterprise procurement due diligence, regulatory investigation responses, academic misconduct proceedings. They are not a substitute for a notified body assessment under Art.43 for Annex III high-risk AI systems.

Never. Your code is read into memory, analysed, and immediately discarded. We store only the scan result: score, findings, and SHA-256 hash. We cannot reconstruct your code from our records — this is an architectural decision, not just a policy.

Yes. We are incorporated in Ireland and process all data within the EU (Frankfurt). We have DPAs with all sub-processors. GDPR rights exercisable via Settings or privacy@aicvs.io.

• Data residency: Frankfurt, EU only
• Code never stored: Only hashes and results retained
• No advertising: Data never shared with advertisers
• Deletion: Full deletion via Settings → Danger Zone

• Passwords: PBKDF2-SHA256, 260,000 iterations, unique random salt per user. Exceeds NIST SP 800-63b. Never stored in plain text.
• API keys: SHA-256 hashed. Raw key shown only once at creation.
• JWT tokens: Expire after 8 hours. Refresh tokens rotate on every use. Revoked on logout.
• 2FA: RFC 6238 TOTP (authenticator app only — no SMS, immune to SIM-swapping).

• Rate limiting: 6 independent buckets — max 10 login attempts/min per IP
• Account lockout: 5 consecutive failures → 15-minute lockout
• ZIP bomb protection: malicious archives rejected at upload
• MIME magic-byte validation: files checked against actual content, not extension
• Path traversal sanitisation: filenames cleaned before processing
• ReDoS timeout: regex rules run with timeout to prevent denial-of-service
• Security headers: HSTS (prod), X-Frame-Options: DENY, CSP, X-Content-Type-Options

Turnitin detects plagiarism in written prose. It cannot analyse source code imports, AST structure, or generate cryptographic evidence for disciplinary proceedings.

AICVS is purpose-built for source code submissions: detects AI API attribution comments, structural patterns characteristic of AI-generated code, dead imports, complexity uniformity, and generates tamper-evident evidence for proceedings.

Universities use both side-by-side: Turnitin for essays, AICVS for code. Neither should be the sole basis for misconduct decisions.

Yes. The cryptographic evidence chain is suitable as supporting technical evidence in disciplinary proceedings — in the same way Turnitin similarity reports are used.

It proves: which exact file was scanned, when (UTC timestamp), what findings were detected, and that the record has not been altered since the scan.

• 500 scans/month — enough for entire module cohorts
• Bulk ZIP upload: Drop an entire submission folder as one ZIP, get per-file results
• PDF export for every scan — print-ready evidence for disciplinary records
• Team features: Multiple lecturers with role-based access
• All 15 languages — covers any language taught in your department

For institution-wide use, contact academic@aicvs.io for Enterprise pricing with LMS integration (on roadmap for Canvas, Moodle, Blackboard).

All plans include: EU AI Act findings, SHA-256 evidence chain, GitHub badge, scan history, public verification URL, and REST API access.

Yes. Cancel anytime from Settings → Billing. Cancellation takes effect at the end of your current billing period. No cancellation fees, ever. Upgrading takes effect immediately with prorated billing.

Yes. Email hello@aicvs.io. We offer 50% discounts for: early-stage startups (pre-seed/seed), registered non-profits, EU-funded research projects (Horizon, ERC), Enterprise Ireland portfolio companies, and open-source projects with public repositories.

The aicvs/scan-action@v1 GitHub Action is available now. Add it to any workflow:

- uses: aicvs/scan-action@v1
  with:
    api-key: ${{ secrets.AICVS_API_KEY }}
    min-score: 50          # fail if any file scores below this
    fail-on-critical: true # fail immediately on CRITICAL finding
    post-comment: true     # post results as PR review comment
    paths: './src'         # glob to scan (default: changed files)

Get your API key from Settings → API Keys. Set it as a GitHub secret named AICVS_API_KEY.

Use the CI/CD Wizard in the app (sidebar → CI/CD) for a visual YAML generator.

No. AICVS never requires repository access. You push files to the API — it never pulls from your repo. The GitHub Action only accesses files you specify in paths (default: changed files in the current PR). Your full codebase is never transmitted.

Yes. Full API documentation at https://api.aicvs.io/docs. Key endpoints:

• POST /api/v1/scans — single file scan
• POST /api/v1/scans/bulk — ZIP upload (Pro+)
• GET /api/v1/scans/{id}/certificate.pdf — PDF download (Pro+)
• GET /api/v1/badge/{scan_id}.svg — SVG badge (public)
• GET /api/v1/scans/{id}/verify — public verification (no auth)

Authenticate with Authorization: Bearer <jwt> or X-Api-Key: <api-key>.

Email hello@aicvs.io. For security vulnerabilities, email security@aicvs.io — we follow coordinated disclosure and respond within 48 hours. Security policy: /.well-known/security.txt.