Tenable Nova LLC

Annex VII Data Room Guidance

Technical Documentation Package for Notified Body Conformity Assessment
SWT3 Protocol v1.3.0 | May 2026 | Patent Pending | Apache 2.0
Annex VII Sections
7
SWT3 Procedures Mapped
42
Axiom Exports
14
Clearing Levels
4

1. Purpose

Under Article 43 of the EU AI Act, high-risk AI systems require conformity assessment by a Notified Body (NB). The NB must review technical documentation as defined in Annex IV, organized into an accessible data room per Annex VII requirements.

This guide provides a structured approach to assembling the data room using evidence generated by the Axiom Sovereign Engine. Every document is anchored with SWT3 Witness Anchors, providing cryptographic proof of integrity and provenance.

Key principle: The data room is not a one-time snapshot. Axiom continuously generates evidence, so the data room can be refreshed at any point during the assessment lifecycle. NBs can verify any anchor independently at sovereign.tenova.io/verify.

2. Annex VII Section Mapping

Each Annex VII requirement maps to one or more Axiom evidence sources. The table below provides the complete mapping.

Annex VII Ref Requirement Axiom Evidence Source Export / API Clearing
VII.4.1 General description of the AI system SSP export (system boundary, architecture) GET /api/v1/ssp/export L0
VII.4.2 Detailed description of elements and development process AI-SBOM, model cards, witness ledger (AI-MDL procedures) GET /api/v1/supply-chain/export L1
VII.4.3 Monitoring, functioning, and control of the AI system Drift reports, posture trend, AI-INF witness records GET /api/v1/posture-trend
GET /api/v1/ai-witness/export		 L1
VII.4.4 Risk management system FRIA, DPIA, gap analysis, POA&M GET /api/v1/gap-to-green
GET /api/v1/poam/export		 L1
VII.4.5 Changes to the system throughout its lifecycle Witness ledger (all procedures), revocation anchors (AI-REV.1) GET /api/v1/ledger (filtered) L0
VII.4.6 Data governance and management practices AI-DATA.1 through AI-DATA.4 witness records, clearing proofs GET /api/v1/ai-witness/export L2
VII.4.7 Post-market monitoring plan Posture trend (continuous), IRP, heartbeat integrity (SI-7) GET /api/v1/posture-trend L0

3. Recommended Folder Structure

Organize the data room into numbered folders aligned with Annex VII sections. This structure enables NBs to locate evidence efficiently during assessment.

Folder Contents Axiom Source
/01-system-description/ System Security Plan (OSCAL + traditional), architecture diagram, system boundary SSP export, Executive Summary
/02-risk-management/ FRIA (Art. 27), DPIA (Art. 35), gap analysis, risk register Gap-to-Green report, POA&M export
/03-data-governance/ Data lineage, clearing level proofs, retention policy, PII audit results AI-DATA.1-4 witness records, leakage audit
/04-technical-documentation/ Model cards (AI-MDL.1-7), AI-SBOM (CycloneDX), test results, performance metrics Supply chain export, AI witness export
/05-monitoring/ Drift reports, posture trend (90-day), inference witness ledger, heartbeat logs Posture trend API, ledger export (filtered)
/06-conformity-assessment/ Corrective Action Plan (CAP), audit findings, sampling manifest, mock assessment CAP export, audit portal, sampling manifest
/07-incident-management/ Incident Response Plan, revocation records (AI-REV.1), post-market alerts IRP policy, revocation anchors from ledger

4. Automation with Axiom

Each folder maps to one or more Axiom API endpoints. An automated data room assembly workflow can be built using the following exports:

Folder API Call Format Auth
/01 GET /api/v1/ssp/export OSCAL JSON Bearer
/01 GET /api/v1/executive-summary HTML Session
/02 GET /api/v1/gap-to-green HTML Bearer
/02 GET /api/v1/poam/export OSCAL JSON Bearer
/03 GET /api/v1/ai-witness/export JSON Bearer
/04 GET /api/v1/supply-chain/export CycloneDX JSON Bearer
/05 GET /api/v1/posture-trend?days=90 JSON Bearer
/06 GET /api/v1/audit/{token}/cap HTML Audit token
/06 GET /api/v1/mock-assessment HTML Session
/07 GET /api/v1/ledger?type=revocation JSON Session
Tip: Use the Axiom CLI (axiom report --local --html) to generate a self-contained offline report that includes all 7 folders in a single HTML artifact suitable for air-gapped NB review.

5. SWT3 Evidence Chain

Every document in the data room is backed by one or more SWT3 Witness Anchors. These anchors provide:

Anchor Format

SWT3-{TIER}-{PROVIDER}-{UCT}-{PROCEDURE}-{VERDICT}-{EPOCH}-{SHA256_12}

Verification

NBs can verify any anchor using:

6. Pre-Submission Checklist

Before submitting the data room to the Notified Body, verify the following:

Item Requirement Status
1 All 7 folders populated Required
2 SSP includes system boundary and intended purpose (Art. 6) Required
3 FRIA completed (Art. 27) with SWT3 anchor Required
4 AI-SBOM includes all model components with versioning Required
5 Data governance evidence at Clearing Level 2+ Required
6 Posture trend covers minimum 30 days of continuous monitoring Required
7 No open MAJOR audit findings (CAP items all RESOLVED or in REMEDIATION) Required
8 Revocation log reviewed (no unacknowledged AI-REV.1 anchors) Required
9 Anchor verification passes for all exported documents Required
10 Incident Response Plan current within 12 months Required
11 Human oversight documentation (AI-HITL.1/HITL.2) Required
12 Drift detection baseline established and current Recommended
13 Mock assessment score above 80% Recommended
14 Sampling manifest pre-generated for NB review efficiency Recommended
Important: Under Article 43(4), the NB may request additional documentation beyond Annex VII. Axiom's continuous evidence generation ensures that supplementary evidence can be produced on demand without delay.
TeNova Axiom Sovereign Engine | SWT3 Protocol v1.3.0 | Patent Pending
CUI | Generated for Notified Body conformity assessment