feat(admin): Add docs for AI act

admin_manual/ai/eu_ai_act.rst

@@ -0,0 +1,60 @@
+================================
+Legal: Compliance with EU AI Act
+================================
+
+.. _ai-eu_ai_act:
+
+Implementation of the transparency requirements
+-----------------------------------------------
+
+This section describes of how Nextcloud and its AI products implemented the transparency requirements.
+
+- All functionality that outputs AI generated content which significantly altered the user’s input has in the software UI a visual warning that the content is generated using AI and urge users to double check the correctness of any claims therein.
+- Additionally, AI generated files like documents, images, and audio contain a note that it was generated by AI. We also add a machine-readable tag (“Generated using AI”). In file formats that support metadata, we add metadata with the same information (“Generated using Artificial Intelligence.”).
+- Agentic interactions with third parties always include a note that the interaction was generated by AI (e.g. E-Mails sent on behalf of the user, calendar events created on behalf of the user, etc.).
+- Employees of Nextcloud GmbH have been instructed through the internal AI policy to inform audience when they send or publish content that were generated by AI or significantly altered by AI.
+- All interactions of users with AI in Nextcloud are retained in the database for observability and transparency. Refer to :ref:`Insight and Debugging<ai-insight-and-debugging>` for details on how to explore and examine these records.
+
+Reliability and robustness
+--------------------------
+
+This section describes the measures that ensure the software is reliable and robust.
+
+- All merged code is reviewed by at least one extra employee who checks for potential issues.
+- The design and implementation of larger and more risky new features are always discussed with multiple experts to ensure a robust implementation.
+- Our software is entirely open-source and anyone can raise bugs they face and propose fixes to the bugs they face. The incoming bugs are regularly reviewed by our employees and prioritized accordingly. Bugs that affect the functionality of the software for many users and instances are prioritized high and the work to develop a fix is added to our roadmap. For the other bugs, anyone is welcome to propose a fix and our employees will review the code change.
+- We offer an enterprise subscription for downstream providers with critical infrastructure. This will guarantee support and fixes for any issue they face within a SLA agreement.
+- We regularly test our software using standard testing procedures, like static code analysis and integration tests where appropriate.
+- We maintain several test instances to ensure the reliability and stability of our AI features. One instance is updated daily with the latest development versions and a selection of self-hosted AI features are tested here. Another instance is used to validate upcoming core releases prior to announcement, where we test a selection of AI features of which most depend on OpenAI as a backend. In addition, we operate an instance that resembles the production environment of a small to mid-sized company, where we perform end-to-end testing of selected AI features. This environment combines AI-as-a-service providers for text generation capabilities with self-hosted models for other capabilities, allowing us to verify real-world performance and usability.
+- When a feature relies on large language models as its core component, we cannot guarantee complete reliability due to the unpredictable nature of an LLM, and have thus documented the limitations of said features and provide AI literacy training to our employees and customers. We select the LLM models we recommend to use based their results on industry standard benchmarks as well as on a custom suite of tests for multilingual usage and tool calling. In the user-facing UI we prompt users to always double check the AI generated content.
+
+Interoperability
+----------------
+
+This section describes the measures that ensure the software is interoperable.
+
+- We provide our AI features via an open API with publicly accessible `OpenAPI specs <https://docs.nextcloud.com/server/latest/developer_manual/_static/openapi.html#/>`_ which allows developers to build on top of our features.
+- As our software is fully open-source, anyone can adjust the software to meet their needs. For example, anyone can adjust the core code, adjust the code of existing applications, or develop a custom application for Nextcloud.
+- We implement integrations for the major model hosting providers and their protocols upon request of customers. We are interoperable with OpenAI and IBMwatsonX. As Nextcloud is an open app ecosystem, anyone can develop an integration with a model hosting provider on their own.
+- We implement the agent interoperability protocol MCP both as a client and as a server to allow users to connect the AI Agent software to existing services and connect existing AI Agents to our software.
+- We implement a local model hosting mechanism that can be used to host GGUF models (most open weight models can be converted using an Open Source tool called llama.cpp).
+
+Cybersecurity and physical security of the hardware
+---------------------------------------------------
+
+This section describes the measures how we guarantee cybersecurity and the physical security of the hardware.
+
+- All merged code is reviewed by at least one employee who also checks on security.
+- We have a security bounty program at HackerOne.
+- Our software is self-hosted by our customers and downstream providers.
+
+  - We provide our customers extra support to ensure the software is secure, such as long-term support and early security notifications.
+  - We cannot guarantee the security of the hardware of our customers and downstream providers. We cannot guarantee the security of the hardware as we only deliver software. Hardware security is the responsibility of those who host the software.
+  - For internal use of Nextcloud GmbH, we use a well-respected EU-based hosting provider for our hardware (Hetzner) and a well-respected EU-based AI service provider (Ionos) with whom we have a data processing agreement.
+
+Additional requirements when using large AI models
+--------------------------------------------------
+
+Nextcloud's AI products are designed to be used with smaller AI models that can also run on-premise. Nextcloud's AI Act compliance efforts thus assume you are using models that were trained using less than 10^25 floating point operations.
+However, Nextcloud's AI products are designed (in accordance with the AI act) to be interoperable and therefore it is technically possible to use larger models.
+If you decide to use larger models, this qualifies as a significant modification of the system and additional legal requirements for systemic-risk General purpose AI systems apply. Please refer to a lawyer and to `the EU AI Act <https://artificialintelligenceact.eu/gpai-guidelines-overview/comes>`_.

admin_manual/ai/index.rst

@@ -19,3 +19,4 @@ Artificial Intelligence
     app_live_transcription
     ai_as_a_service
     insight_and_debugging
+    eu_ai_act