Articles 50 and 52 of the EU AI Act establish two overlapping but distinct transparency regimes:
DEFONEOS is a sovereign AI substrate that includes GPAI capabilities (the MEOK brain, the SOV3 BFT council, the SIGIL chain, and various MCPs that wrap open-source general-purpose LLMs). The substrate therefore has both kinds of obligations: as a deployer of AI systems that interact with persons, and as a provider of a GPAI model/scaffold to downstream providers.
This page documents the 8 transparency pillars, 10 disclosure categories, 7 content-marking modes, and the EU database registration process that DEFONEOS implements to comply with both articles.
Every interaction with a DEFONEOS-operated AI begins with a clear AI-identity disclosure: the user knows they are talking to a sovereign AI substrate. The disclosure is visible at the start of every session, persistent throughout, and surfaced at the start of every distinct task. The disclosure is in plain language ("You are now working with DEFONEOS, a sovereign AI system operated under CSOAI LTD UK 16939677") and includes the deployment-level identity, contact for redress, and link to the System Card.
DEFONEOS publishes a public summary of training data per the EU AI Act Article 53(1)(b) template: "the main groups of data elements, types of data, sources, and modalities the model was trained on." The current published summary covers ~190 GB of training corpus across 16+ datasets, organised by data group (government open-data, scientific literature, synthetic telemetry, federated industry data, partner-provided datasets), type (numeric, text, image, signal, geospatial, biometric), source (national open-data portals, OGL-UK-3.0 releases, partner signed agreements, federated ingest), and modality. The summary is reviewed annually and updated when training corpus changes materially.
DEFONEOS publishes a copyright-compliance policy per Article 53(1)(c). The policy states the opt-out mechanism (robots.txt + ai.txt standard), the data-licensing policy (OGL-UK-3.0 / CC-BY only by default, signed-partner-only for proprietary corpora), the rights-respecting pipeline (rights-of-first-publication respected; pre-2029 publicly-cited source sets preferred), the credits-attribution standard, and the takedown procedure. The policy is reviewed quarterly by an external copyright counsel.
Every piece of text, image, audio, video, or structured output produced by a DEFONEOS substrate AI carries a machine-readable mark — a C2PA-style provenance manifest + a Watermark-Resistant Sign (per C2PA 2.0 spec) + the SIGIL chain hash. The mark is tamper-evident: any attempt to strip it breaks verification. The mark does not replace human-readable disclosure; it complements it.
Any synthetic likeness (face, voice, gait, biometric signal) used in DEFONEOS-produced content triggers a deepfake disclosure per Article 50(4). The disclosure appears as both a label in the metadata and a human-readable annotation visible at the point of consumption: "This content includes synthetic likeness of [person]; generated by DEFONEOS substrate." The disclosure is required even when the content is later transformed by human editing or downstream processing.
Where emotion-recognition or biometric-categorisation is used (subject monitoring, fatigue detection, stress indicator recognition), the affected persons are informed in plain language at the point of data capture. The disclosure includes: what is being measured, what categories are recognised, how the data is used, where it is stored, who has access, and how long it is retained. Sensitive contexts (workplaces, schools, healthcare) require affirmative consent.
Every DEFONEOS output includes a "Made by" / "Generated by" line that identifies the provider (CSOAI LTD, UK Companies House registration 16939677), the deployment (e.g., "DEFONEOS BFT Council v2.4"), the version (e.g., "v4.7.2 substrate"), and the date. The identification is verifiable: it carries a SIGIL hash that anyone can validate against the public SIGIL registry at sigil.csoai.org.
DEFONEOS substrate outputs are designed to be machine-detectable as AI-produced: the watermarking is robust to common transformations (crop, resize, compression, OCR), the metadata manifest is embedded redundantly (in-band + side-band + SIGIL hash), and the system supports external detector API access. This is the "design for detectability" requirement per Article 50(2).
| # | Disclosure Category | Audience | Channel | Frequency |
|---|---|---|---|---|
| 1 | AI identity at point of interaction | User | Banner + footer + manifest | Per session |
| 2 | System Card / model description | Public | Hosted page + manifest | Per version release |
| 3 | Training data summary | Regulators + public | EU DB + hosted page | Annually + on material change |
| 4 | Copyright compliance policy | Regulators + content owners | EU DB + hosted page | Quarterly review |
| 5 | Energy / environmental footprint | Public | Hosted page + CRDS report | Per training run + monthly aggregate |
| 6 | Capability & limitations public summary | Public | System Card + manifest | Per version release |
| 7 | Red-team / adversarial testing report (GPAI w/ systemic risk) | Regulators + AI Office | Confidential submission + summary | Per major release + on serious incident |
| 8 | Serious-incident notifications | AI Office + national authority | Form per Implementing Regulation | Within 15 days (or sooner for critical) |
| 9 | Cybersecurity protection summary | Regulators + partners | Confidential submission + summary | Quarterly + on material change |
| 10 | Downstream integration documentation | Downstream providers | API + docs site + signed SDK release notes | Per release |
DEFONEOS text outputs carry a two-layer watermark: a statistical-model watermark (token distribution signature trained with low false-positive rate) and a structural fingerprint (sentence-turn-taking patterns + paragraph cadence that is detectable). Watermark is robust to paraphrase and translation.
Image outputs include a C2PA cryptographic manifest embedded in the file metadata + a pixel-level watermark in the visual band (resilient to compression, crop, and re-encoding). The manifest references the producer (CSOAI LTD), the substrate version, the SIGIL hash, and the policy URL.
Audio outputs include a C2PA manifest + an inaudible acoustic watermark in the 17-19 kHz band (detectable by automated systems, inaudible to humans). The watermark survives MP3 compression, sample-rate downsampling, and ambient recording.
Video outputs include a C2PA manifest + a per-frame hash signature + an embedded visible label ("AI-generated" overlay) per Article 50(4) for synthetic-likeness content. The per-frame hash chain is verifiable against the SIGIL chain.
Generated code includes a header comment block with the producer, version, SIGIL hash, and a per-line structural fingerprint. This allows detected downstream usage to be auditable.
Structured outputs (JSON, CSV, databases) include a SIGIL manifest in a defined schema field + a hash-of-the-data field. The manifest references the producer, version, timestamp, and downstream license terms.
Decisions and actions (target nomination, policy change, BFT vote, kill-switch) include the entire SIGIL chain entry. Downstream audit can verify the decision was sovereign-actuated, who approved it, and what the red-line check produced.
| Audience | What they need | Disclosure Tier | DEFONEOS Channel |
|---|---|---|---|
| Affected persons | Identity, recourse, explanation | Tier 1 (plain-language, immediate) | Banner, footer, decision receipts |
| General public | AI vs human, content origin | Tier 2 (labelled, persistent) | C2PA manifests, watermarks |
| Regulators (AI Office, NCSC, ICO, NCAS) | Compliance evidence, audits | Tier 3 (technical, registry-grade) | EU database, regular reports, audit hook |
| Downstream providers / integrators | Integration documentation, capabilities | Tier 4 (technical, complete) | API docs, SDK release notes, integration pack |
| Researchers / civil society | System Card, evaluation reports | Tier 5 (public, deep) | System Card page, transparency hub, arXiv-equivalent pubs |
Per Article 71 of the EU AI Act, all GPAI providers must register in the EU database before placing the model on the market. DEFONEOS registers:
The registration is submitted within 14 days of placing the model on the market (the formal SLA from EU Implementing Regulation 2024/...). Subsequent updates (material change in training data, capabilities, or version) trigger update submissions. Each submission is SIGIL-signed and the registration record carries the SIGIL hash for tamper-evidence.
Downstream providers integrating DEFONEOS capabilities receive:
| Framework | Article / Clause | DEFONEOS Mapping |
|---|---|---|
| EU AI Act | Article 50 | Pillars 1, 4, 5, 6, 8 (transparency, content marking, deepfake, emotion recognition) |
| EU AI Act | Article 52 (GPAI) | Pillars 2, 3 + provider identification + downstream integration |
| EU AI Act | Article 53 (GPAI provider) | Technical docs, public summary, copyright policy |
| EU AI Act | Article 71 (EU database) | Registration process + SLA |
| C2PA 2.0 spec | Manifest + assertions | Pillars 4-8 (content marking modes) |
| GDPR | Article 13 (information to be provided) | Pillar 1 + Pillar 7 (identity disclosure) |
| GDPR | Article 14 (third-party data) | Training data summary (Pillar 2) |
| GDPR | Article 22 (automated decisions) | Pillar 1 + HitL documentation |
| UK GDPR + DPA 2018 | Same as GDPR | Same as EU |
| US Executive Order 14110 | Section 4 (transparency) | Pillars 2-5 + provider identification |
| China Generative AI Measures | Article 7 + 11 | Pillars 1, 4, 7 (identity + marking + identification) |
| NIST AI RMF | GOVERN 6 (transparency) | All 8 pillars + System Card page |
7 personas · 5 tiers · 30-second signup · free 30-day sandbox for regulators and end-users.
Sign up · Ed25519-signed receipt → For Defence Primes For Regulators (Free) Series A — £45-90M Round