About TrustPacket

We built TrustPacket because SMEs shouldn't have to pay $20,000 to answer one compliance question.

Why we exist

The EU AI Act became enforceable in February 2025. Enterprise procurement teams started asking: "Is your AI system high-risk? Show us your Annex IV documentation."

For companies building on Annex III use cases (hiring, credit scoring, biometric ID), the answer determines whether they can close deals. The problem: getting that answer meant either hiring a law firm for $5,000–20,000 or adopting a GRC platform built for enterprises with compliance teams.

We've been on both sides of this. As vendors, we've filled out hundreds of compliance questionnaires. As buyers, we've sent them. The AI Act questionnaire became the new SOC 2 — a table-stakes hurdle that shouldn't cost five figures to clear when you're a 15-person team.

What we built

A rule-based risk checker — no AI guessing your legal obligations. We implemented the Annex I and Annex III decision trees from Regulation (EU) 2024/1689 as code. Answer 7 questions, get your tier with article references and deadlines.

Self-serve documentation — the five (or six) documents buyers actually ask for, generated from a structured questionnaire. Not perfect, not a substitute for counsel, but 80% of the work done in 15 minutes instead of 4 weeks.

We charge $299–499 instead of $5,000 because the marginal cost of generating documents is near zero, and we'd rather help 100 companies at $300 than 5 companies at $5,000.

Who we are

TrustPacket is built and maintained by a small team with backgrounds in SaaS compliance, developer tools, and enterprise sales. We've navigated SOC 2, ISO 27001, GDPR, and now the AI Act — not as consultants, but as operators who had to ship compliant products on startup budgets.

We're not lawyers. We don't pretend to be. Everything we build is explicitly labeled "not legal advice" because that's honest: we're a self-assessment tool, not a law firm. For prohibited-tier systems or novel edge cases, you need qualified counsel. For the 80% of cases that map cleanly to Annex III, our tool gets you documentation you can hand to a lawyer for review — at a fraction of the cost of starting from scratch.

What we're not

Not a law firm.We don't provide legal advice, and we say so everywhere. Our tool helps you structure your self-assessment and generates documentation templates. A lawyer should review the output before you rely on it for high-stakes decisions.

Not a certification body.We don't issue certificates of conformity. Conformity assessment (Article 43) requires notified bodies for most high-risk systems — that's not us.

Not a GRC platform.If you're a 500-person company juggling SOC 2, ISO 27001, HIPAA, and AI Act, you probably need Vanta or OneTrust. We're for the 20-person team that just needs AI Act docs to unblock a deal.

How we make money

We sell documentation packs ($299–499 one-time) and will offer monitoring subscriptions ($49/month) for teams that want ongoing regulatory updates. The risk checker and guides are free forever — we believe the classification question should have a free answer.

We also earn affiliate commissions when we recommend GRC platforms to companies that outgrow self-serve tools. We're transparent about this: see our affiliate disclosure.

Contact

Questions, feedback, or partnership inquiries: hello@trustpacket.app

Follow regulatory updates and product news: @trustpacket (placeholder — update when real)

Ready to classify your system?