The five-day audit: how the practice's team moves from intake to handover

Day 0 — Intake

The customer pays €997 to Stripe. The intake form opens the moment payment clears.

Ten questions, no call. Product URL, AI feature list, deployment regions, current compliance posture, counsel contact, and the standard GDPR/audit consent block. Five minutes for the customer to complete. The form lands in two places: an internal notification to the lead reviewer, and a backup record in the practice's IntakeBrief entity for audit trail.

The lead reviewer reads the brief within the same business day and either accepts the engagement or returns with a one-paragraph scope clarification. If accepted, the customer receives an automated confirmation, the practice's calendar reflects the five-day slot, and Day 1 begins the next business morning.

Days 1–3 — Audit and write

The lead reviewer walks the customer's product as a European end-user. Sign-up flow first. Then every feature surface listed in the intake. Then every surface NOT listed in the intake, in case the customer's feature inventory missed something. Screenshots captured at every AI touchpoint.

In parallel, the practice's technical reviewers begin two work streams. Stream one: classify every captured surface against Annex I, Annex III, Article 5, Article 6, and Article 50. Stream two: stage the disclosure code snippets (React + HTML + Vue 3) that will close each gap.

The native-language reviewers begin the third stream: confirm the wording for every disclosure that will ship in the customer's deployment regions. If the customer ships in France, Germany, Spain, Italy, and the Nordics, that is six reviewers working in parallel.

By end of Day 3, the lead reviewer has the complete article-by-article gap matrix, the technical reviewers have the snippet pack staged, and the translation reviewers have signed off on the language strings.

Day 4 — Compliance documents

The compliance document pack is filled and rendered on Day 4. Five documents, each branded to the customer.

Model card per AI feature in scope. Per-feature: purpose, model provider, accuracy metrics, human oversight description, risk measures.

Transparency notice to publish at the customer's domain. Article 50 disclosure surface inventory in customer-facing language.

DPA AI addendum to attach to enterprise contracts. Drafted by our lead reviewer for the customer's counsel to review and sign.

Public AI use policy for the customer's trust page.

Internal AI register for the customer's compliance owner.

Each document ships as both an editable .docx (so the customer's counsel can adjust) and a locked .pdf (so the customer can attach the signed version to procurement responses).

Day 5 — Handover

The deliverable bundle is assembled and shared. A single link.

Disclos-Audit-Report.pdf — the master report. Cover page with audit reference and delivery date. Executive summary on page one. Article-by-article gap matrix. Findings register ranked by severity. Remediation plan mapping every finding to the snippet or document that closes it. Prohibited-practice negative confirmation. Implementation timeline. Sign-off block.

Disclos-Audit-Report.docx — the editable copy.

01-Inventory/ — full AI feature inventory as both CSV (machine-readable) and Markdown (human-readable).

02-Diagnosis/ — screenshot evidence per finding.

03-Code-Snippets/ — React, HTML, Vue 3 components in all 24 EU languages plus the C2PA provenance utility.

04-Compliance-Documents/ — the five-document pack.

05-Loom-Walkthrough.txt — a personal Loom recorded by the lead reviewer walking the customer through their specific findings and the order to ship the fixes.

The customer receives the link, watches the Loom, and forwards the bundle to their CTO, counsel, or board. Implementation is on the customer; the deadline runs to 2 August 2026.

Day 30 — Check-in

Thirty days after delivery the lead reviewer reaches out for a free check-in. Async or call, customer's choice.

The agenda is short: which fixes shipped, which slipped, any new AI features introduced, any changes to the customer's regional footprint, any new EU AI Office guidance worth knowing about. The lead reviewer either signs off on the implementation, or re-opens specific findings for follow-up.

If the EU AI Act is amended or the customer ships a substantially new AI feature within twelve months of the original delivery, a delta re-audit costs €497.

If the customer implements the audit recommendations and the product is still found non-compliant by 2 August 2026, the engagement fee is refunded in full. No partial refunds. No arbitration. The refund anchor and the law's main application date coincide deliberately.

Frequently asked questions

Can the timeline compress below five business days?

No. The practice runs the same pipeline on every engagement and the five-day window is what the methodology requires. Compression would either remove the native-language review stage (unacceptable for a 24-language deliverable) or remove the technical-reviewer stage (unacceptable for snippets that will ship to production). The five days are what the price covers.

What if the customer's product changes during the five days?

The lead reviewer freezes the scope at the start of Day 1 based on the intake brief and the as-observed product walk. Material changes shipped after Day 1 are captured in the report's open-questions section and addressed in the Day 30 check-in. Substantial post-audit changes are the trigger for the €497 re-audit option.

Does the customer talk to anyone on the practice's team beyond the lead reviewer?

By default, no. The lead reviewer is the customer's single point of contact for the whole engagement. Technical reviewers and native-language reviewers work internally to the practice; their work surfaces in the deliverable but the customer's conversation stays with the lead reviewer. If a customer's CTO wants to debug a specific snippet integration with our technical reviewer, the lead reviewer arranges the call as part of the 30-day check-in window.

What if the practice's lead reviewer is unavailable for a planned slot?

The practice runs the calendar conservatively. Five audits per week is the maximum, not the target. If the lead reviewer's availability is at risk (illness, travel), the practice closes intake for the affected week rather than handing off mid-engagement. This is part of why the methodology delivers on day five every time.

What does the customer's counsel need from the deliverable?

Three things, in order: the article-by-article gap matrix (so counsel knows which clauses bind the product), the prohibited-practice negative confirmation (so counsel can certify no Article 5 line was crossed), and the signed sign-off block (so counsel has a clear provenance trail). The deliverable is designed for a qualified lawyer to sign off on in twenty minutes — that is the brief our reviewers write to.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj
• https://disclos.eu/methodology
• https://disclos.eu/audit