Skip to content

FAQ

About the product

No. Lex Custis is an engineering substrate that produces the evidence artefacts the EU AI Act requires. Your interpretation of what the Act requires for your product is a legal matter — engage qualified EU counsel. The self-assessment at /check is informational, not legal advice.

Can I use Lex Custis for free commercially?

Yes, under AGPL-3.0. If you're comfortable with AGPL copyleft (any networked modification must be made available to users), run the OSS core as much as you want. If you need a proprietary license (embedding in a closed-source product, hosting as closed SaaS), a commercial license is available — see LICENSE-commercial.md.

Is there a commercial / managed option?

Yes — for organisations that cannot take AGPL copyleft, or that want the stack operated on EU-sovereign infrastructure with SSO, SLA, and indemnification. Scope and pricing are handled per-customer; see LICENSE-commercial.md and contact contact@lexcustis.eu.

Do I need to be technical to run this?

To self-host: someone needs to run ./install.sh on a VM and manage backups / TLS / monitoring. A single full-stack developer can handle it. To use it in the browser: no, it's a web app.

Is the hash-chain claim real?

Yes. HMAC-SHA-256 per-org, key held outside Postgres. See architecture/hash-chain.md for the cryptographic detail and threat model. An independent reviewer can reproduce the verification procedure from the dossier alone.

About the EU AI Act

When exactly does my product become "high-risk"?

If it matches one of the Annex III categories in is-my-system-high-risk, from 2 August 2026. Annex I (safety components of regulated products like medical devices) from August 2027.

If I'm not based in the EU, does the Act still apply to me?

If your AI system is placed on the EU market, put into service in the EU, or used with output processing EU persons' data — yes, regardless of where you're headquartered (Art. 2). You also need an Authorised Representative in the EU (Art. 22).

What if my customer is the deployer and I just provide the model?

You're the provider, they're the deployer. You owe provider obligations (Arts. 9–15, 17, etc.). They owe deployer obligations (Arts. 26, 27). Art. 13 is the handoff: you ship them an IFU. Art. 26 makes them send incidents back to you.

Can I just self-certify and hope no one checks?

You can, and most providers will. But market surveillance authorities can open inquiries without notice, especially after user complaints or news coverage of an incident. Fines reach €35 M or 7 % of global turnover. Even if you self-certify, you still need the evidence artefacts on hand — which is what Lex Custis gives you.

Does GDPR still apply on top?

Yes. GDPR + the AI Act interlock but don't merge. Art. 22 GDPR (automated decisions) is particularly tight; some of what the AI Act classifies as high-risk will also require a GDPR DPIA.

What's a FRIA and do I need one?

Fundamental Rights Impact Assessment (Art. 27). Required before a deployer puts an Annex III high-risk system into use in these contexts:

  • Public-sector deployer (body governed by public law, or private entity providing a public service).
  • Evaluation of creditworthiness (Annex III §5(b)) outside fraud detection.
  • Life / health insurance risk evaluation (Annex III §5(c)).

If you're a pure B2B SaaS and your customers aren't in those buckets, no FRIA for you. If they are, you'll want to provide them a template.

About installation

Why doesn't install.sh offer Hetzner / Scaleway one-click?

OSS v0.1 ships the commodity install.sh that works on any pre- provisioned Linux VM. Tested public Terraform modules for Hetzner and Scaleway live in the commercial managed-infra repo. We plan to publish OSS Terraform modules in v0.2. Until then, see self-host/hetzner.md and self-host/scaleway.md.

Can I run this on AWS / GCP / Azure?

Technically yes — the stack is generic docker-compose. But the whole product proposition is EU-sovereign, so running it on US hyperscalers undermines the pitch. The commercial edition can deploy into an AWS / GCP / Azure region within the EU with contractual data-residency guarantees, for customers whose procurement mandates those clouds.

Do I need a GPU?

For Mistral (API) — no, zero. For self-hosted Ollama with 7B+ models — yes, or your chat responses will take 30+ seconds per answer. Small models (gemma3:4b, phi3.5, llama3.2:3b) run fine on CPU.

How much does it cost to run?

  • Single-tenant OSS on a small EU VM (Mistral API, not self- hosted LLM): roughly the VM cost (~€15/mo on Hetzner CCX13) plus your Mistral spend (heavily volume-dependent).
  • Self-hosted with Ollama on a GPU box: higher fixed cost, zero LLM-API spend — worthwhile at high chat volume.
  • Managed commercial tier: per-customer quote; contact contact@lexcustis.eu.

About the community

Where do I report bugs?

GitHub issues at https://github.com/vbalagovic/lex-custis/issues. For security issues, email contact@lexcustis.eu — do not open a public issue.

Where do I ask questions?

GitHub Discussions at https://github.com/vbalagovic/lex-custis/discussions.

I want to contribute. What should I work on?

Start with anything labelled good-first-issue. Priority areas: PII detection for additional EU locales, bias-pattern coverage, provider plugins for other OpenAI-compatible servers (LocalAI, Groq, vLLM), i18n of the frontend. See CONTRIBUTING.md.

Can I fork this and build a competing product?

Under AGPL-3.0 you're free to fork. If you host it as a service, AGPL obliges you to publish your modifications to users. If that's inconvenient, buy a commercial license. If you want to compete with us on the commercial edition, that's the market speaking — we plan to earn the business by operating it better, not by legal friction.

About the company

Who's behind Lex Custis?

Built by Vedran Balagović in Zagreb, EU. Not-a-unicorn, not-VC-backed (yet), not a research lab. One founder, open source, EU-time, pragmatic.

What's the business model?

Open-source core under AGPL-3.0 plus a commercial-licensed managed edition operated on EU-sovereign infrastructure for customers who need SSO, SLA, or indemnification. The OSS core ships every compliance feature critical to the product's claims.

How do I get in touch?

General: contact@lexcustis.eu Security: contact@lexcustis.eu Commercial / enterprise: contact@lexcustis.eu with "enterprise" in the subject.