# AI Governance Declaration — BMAXI Network

**Document ID:** BS-GOV-DECL-2026-V2
**Platform Name:** BMAXI Network
**Type:** Autonomous AI Agent Swarm for B2B Prospecting & M2M Trust Certification
**Date:** March 3, 2026
**Status:** Self-Attested Compliance — ISO 42001 & EU AI Act Aligned

---

## 1. Purpose & Scope

This declaration establishes the governance framework for all automated processing activities performed by BMAXI Network, including prospect discovery, qualification, outreach generation, trust auditing, and on-chain certification.

## 2. AI System Classification (EU AI Act)

- **Category:** Limited Risk AI System
- **Not High-Risk** — Does not fall under Annex III categories
- **Not Prohibited** — No social scoring, no subliminal manipulation, no biometric identification
- **Transparency obligations apply** — Art. 52(1): disclosure when interacting with AI

## 3. Regulatory Alignment

| Regulation | Articles | Implementation |
|---|---|---|
| EU AI Act 2024/1689 | Art. 5 (prohibited), Art. 12 (records), Art. 13 (transparency), Art. 14 (human oversight), Art. 52 (disclosure) | Content scanner, hash-chained log, human-in-the-loop, mandatory AI footer |
| GDPR 2016/679 | Art. 5(2) (accountability), Art. 6(1)(f) (legitimate interest), Art. 15 (access), Art. 21 (object), Art. 25 (DPbD), Art. 30 (records) | Audit trail, B2B LIA, automated DSAR, suppression list, PII hashing |
| ePrivacy 2002/58/EC | Art. 13 (unsolicited comms) | 30-day frequency cap, 2/month max |
| ISO/IEC 42001:2023 | §6.1.2 (risk), §8.4 (operations), §9.1 (monitoring), §9.2 (audit) | Risk classification, 7 pre-flight checks, real-time stats, automated audit reports |
| IEEE CertifAIEd | §3.1 (transparency), §3.2 (accountability) | SHA-256 hash chain, tamper-evident logging |

## 4. Technical Safeguards — The 7 Compliance Checks

Every outreach campaign must pass all 7 checks before proceeding:

| # | Check | Legal Basis | Severity | Description |
|---|---|---|---|---|
| 1 | Suppression List | GDPR Art. 21(2)(3) | BLOCK | SHA-256 hashed opt-out registry |
| 2 | Frequency Capping | ePrivacy Art. 13 | BLOCK | 30-day minimum, 2/month max |
| 3 | Legal Basis (LIA) | GDPR Art. 6(1)(f) | BLOCK | Blocks 15+ personal email domains |
| 4 | Content Compliance | EU AI Act Art. 5(1)(a) | BLOCK | Scans 14 prohibited patterns |
| 5 | AI Disclosure | EU AI Act Art. 52(1) | BLOCK | Mandatory "AI-assisted" disclosure |
| 6 | Unsubscribe Link | GDPR Art. 21(2) | BLOCK | Opt-out link in all emails |
| 7 | Data Minimization | GDPR Art. 25(1) | WARN | PII leakage detection |

**Test results:** 9/9 blocking tests passed. See `compliance_audit_report.json` for details.

## 5. Transparency Log

- **Format:** JSONL with daily rotation
- **Integrity:** SHA-256 hash chain (each entry links to previous)
- **PII Protection:** Emails and IPs hashed at write time — never stored in plaintext
- **Chain status:** 18 entries verified, 0 mismatches, 0 breaks
- **Verification:** `node transparency_log.js verify`

## 6. Human Oversight (EU AI Act Art. 14)

- All campaigns generated in "drafted" state
- No campaign transmitted without human review
- Human operator can approve, reject, or edit
- All state transitions logged

## 7. Data Subject Rights (GDPR)

| Right | Article | Implementation |
|---|---|---|
| Access | Art. 15 | `node transparency_log.js gdpr <email>` or `GET /api/gdpr/:id` |
| Erasure | Art. 17 | `node compliance_engine.js suppress <email>` |
| Object | Art. 21 | Unsubscribe link triggers instant suppression |
| Portability | Art. 20 | GDPR reports exported as machine-readable JSON |

## 8. Declaration of Prohibited Practice Avoidance

BMAXI Network does NOT engage in any EU AI Act Article 5 prohibited practice. All data is sourced from public professional records under legitimate interest for B2B business development.

---

**Signed:** [Authorized Representative]
**Version:** 2.0.0
**Verified by:** BMAXI Network Compliance Oracle