AI Transparency
Transparency statement on the AI models, data, human oversight and territorial policies of NAiOS. AIMLAPI Estonia as default provider; external only on request. Meets Art. 50 of Regulation (EU) 2024/1689.
AI models routed by NAiOS Ai CORE Engine
AIMLAPI (Estonia, EU)
Single provider activated out of the box in every NAiOS account. Hosted in Estonia, within the EU. Broad coverage (text, embeddings, vision, voice). According to AIMLAPI's public policy, API data is not used to train models.
Requisitos: No data transfer outside the EEA
OpenRouter, Fal.ai, Microsoft, OpenAI...
The client may replace the upstream platform with their preferred one — OpenRouter (multi-provider aggregator), Fal.ai (generative models), Microsoft Azure OpenAI (with configurable EU regions), direct OpenAI, or others. This means relevant data is governed by the chosen provider's terms.
Requisitos: Signed activation · per-model traceability
Bring Your Own Key
The client provides their own API key for the provider of their choice. NAiOS uses it as a gateway and applies orchestration. Compliance with the external provider is assumed directly by the client under their own contract.
Requisitos: Client as contractual party of the provider
NAiOS Ai CORE Engine is the orchestration layer that picks and routes the right model for each task. By design, it prioritises models hosted within the European Union.
Data: what we process and how
What we do
We process only the data your company sends us through NAiOS — prompts, documents integrated from your ERP/CRM/BI, agent conversations.
- Encryption in transit (TLS 1.2+) and at rest on European infrastructure
- Tenant isolation — one client's data is not mixed with another's
- Traceability: every call is logged with timestamp, model used and outcome
- Retention configurable by the client (30/90/365 days)
What we DO NOT do
We do not use client data to train models. According to AIMLAPI's public policy, the upstream provider does not train on API data either.
- We do not retrain our own models with client prompts or responses
- We do not sell or share data with third parties for commercial purposes
- We do not route to external providers without your explicit authorisation
- We do not retain data beyond the configured window, except where legally required
How we inform your users they are talking to an AI
NAiOS agents — web chatbots, agents via WhatsApp, Telegram, email or phone — clearly and intelligibly inform the end user that they are interacting with an AI system, unless this is obvious from context.
Initial message in conversational agents
The agent's first turn identifies that it is an AI and, where applicable, which company it acts on behalf of.
Marking of generated content
Generated images, audio or video can be tagged with metadata to distinguish them from human content.
Human handoff
At any moment the user can ask to talk to a person — flows allow automatic hand-off configurable by rules.
Editable by the client
The exact disclosure text is editable from the client panel to match brand and tone.
Orchestration per territorial policies
NAiOS Ai CORE Engine lets you define geographic orchestration policies: which data types can be routed to which provider, which regions are acceptable for which use cases, which tasks always stay on EU infrastructure. The orchestration layer is coherent with these rules — not only at activation time but on every runtime call.
- Rules by data type (personal, sensitive, technical, anonymised)
- Rules by use case (HR, healthcare, finance, marketing, technical)
- Whitelist of acceptable regions per workload
- Audit: every routing decision is logged with the policy applied
- Configurable fallback when a policy does not allow routing to any available provider
Human control behind the AI
- The App Builder lets you define human review points in any agentic flow
- Critical operations (financial, legal, healthcare) can require human approval before execution
- Phone and messaging agents have configurable rules for escalating to a human operator
- Any response or action can be reviewed after the fact from the logs
- The client decides which decisions are fully automated and which stay under review
Traceability and retention
- Every interaction logs: timestamp, upstream model used, prompt, response and metadata
- Logs are accessible from the client panel
- Configurable retention: 30, 90 or 365 days (or custom)
- Personal data is anonymised or purged according to the client's GDPR policy
- Log export available for audit or Art. 12 (event logging) compliance
Limitations we acknowledge openly
No AI system is infallible. NAiOS inherits the limitations of the underlying GPAI models:
- Hallucinations: models can generate plausible but false statements. NAiOS mitigates with grounding on your corporate information, but does not eliminate them entirely.
- Training biases: models reflect biases present in their training data. We recommend human validation in decisions affecting people.
- Languages and domains: performance varies by language and specialty. We always test the use case before production.
- Upstream availability: we depend on the model provider's availability. We have graceful degradation policies for incidents.
For sensitive use cases (healthcare, finance, HR) we recommend on-premise or dedicated on-site mode with reinforced human oversight.
Incident and feedback channel
If you detect incorrect behaviour, a harmful response, a transparency failure or any incident, we want to know.
- Direct email: info@naios.net (subject: AI Transparency)
- Contact form: tick the "AI incident" option
- For serious incidents (Art. 73 of the Regulation) we have a dedicated procedure for notification to the AI Office
- Initial response time: 48 business hours
Living document — last revision: May 2026. NAiOS is a platform developed by NETRETINA AI S.L. (CIF B21924543).