Four compliance gaps in an AI SaaS — found before launch

briofy is an AI SaaS built in-house — it generates social captions from photos/videos and schedules posts. Before launch, a Tier-1 AI governance audit was run on it, using the same framework applied to clients. It found four critical gaps.

The four gaps

• No AI disclosure. The EU AI Act (Article 50) requires users to know they're interacting with AI-generated content. There was nothing — no label, no disclaimer.
• No DPA with the cloud provider. User photos/videos are stored in the cloud. Without a signed Data Processing Agreement, that isn't GDPR-compliant — however careful you are.
• No GDPR assessment for photos containing people. Users upload images with identifiable people who aren't the user. Never formally assessed.
• No ToS clause for third-party consent. If a user uploads someone else's face, there's no contractual protection. The terms must make clear the user is responsible for consent.

The lesson

None of these are code problems — they're paperwork. Weeks, not months. And they were found before any customer was affected. The uncomfortable part: even when you know the product better than anyone, you don't think of these — until someone asks. That's why the right questions exist. Someone needs to ask; that's the job.