Artificial intelligence transparency policy

RackList is designed and operated by a development team (the "dev team") under the direction of the natural person identified in section 2 of the legal notice, who acts as lead developer ("lead dev") and editorial manager. The team has made the deliberate, structuring and fully transparent choice to integrate generative AI tools as technical executants, under continuous human orchestration. This policy sets out, in the spirit of Article 50 of Regulation (EU) 2024/1689 of 13 June 2024 (the "AI Act") whose entry into force is scheduled for 2 August 2026, the precise terms of that integration, so that users and listed hosting providers can assess the technical governance of the service with full knowledge of the facts.

This choice reflects a declared strategy. The intensive mobilisation of AI, combined with continuous direction by the dev team, has allowed the publisher to honour a clear commitment to the community of hosting consumers: to deliver a complete, polished and compliant platform on a tight timeline, with no concessions on functional scope, security or regulatory compliance. In practice, this method enabled RackList to release its service publicly ahead of one of its direct competitors (notably the publisher trading as "Top Heberg"). The publisher asserts this approach: a community need had been clearly expressed, and the commitment was to meet it in full, without half-measures and to the end.

This policy covers all interactions between AI tools and the RackList platform, namely:

• design, development, review, refactoring and debugging of the site's source code and infrastructure (Symfony back-end, Twig/Stimulus front-end, Docker configuration, DevOps automation);
• generation of automated tests (unit, functional, integration) systematically executed and reviewed by the dev team;
• drafting of internal technical documentation, code comments, commit messages and architecture notes;
• operational tasks (writing scripts, playbooks, migrations, infrastructure manifests), governed by the principle of least privilege and subject to human review before any sensitive execution.

Out of scope: any editorial or functional content visible to end users of the site (see section 8), which remains produced exclusively by human authors or by documented deterministic algorithms.

The use of AI is not a passive delegation; it sits within a continuous chain of human orchestration with expressly allocated responsibilities:

• Lead dev: defines the target architecture, sets the product strategy, drafts the directing prompts, arbitrates structural technical choices, validates each deliverable before integration into production and bears the editorial responsibility of the publisher.
• Dev team: conducts line-by-line code review, completes test suites, enforces standards (PHPStan level 8, PHP-CS-Fixer, declare(strict_types=1)) and dictates the substantial corrections imposed on the AI tool.
• AI tool: acts as an executant. It produces proposals on explicit instruction, suggests refactorings, drafts code matching the specifications transmitted and performs analytical tasks. None of its outputs reach production without prior human validation.

The mark of human intellectual contribution (orientation, selection, correction, integration, validation) characterises the software work within the meaning of the Intellectual Property Code. See also section 9 (Pachot case law).

As of the publication date of this policy, the dev team uses the following generative AI tools in the development process:

Any substantial change of provider, tool or model triggers an update of this page and a new publication date.

Tasks delegated to the AI tool are strictly limited to technical software development assistance, under dev team orchestration:

• Generation of repetitive code (class skeletons, DTOs, forms, test fixtures);
• Refactoring proposals to reduce cyclomatic complexity, improve readability or align the code with project conventions;
• Drafting of unit and functional tests, systematically validated and executed by the dev team;
• Analysis of error messages, suggestions of fixes and diagnostic proposals, always reviewed before application;
• Security reviews against OWASP Top 10 risks and review against the RGAA 4.1 accessibility reference framework.

Every AI-sourced contribution follows a complete human validation pipeline before any production release:

• Line-by-line code review by an identified member of the dev team, under the final responsibility of the lead dev;
• Full PHPUnit test suite and PHPStan static analysis (level 8, zero errors) before each commit;
• PHP-CS-Fixer rules (@Symfony + @Symfony:risky) with mandatory strict_types mode;
• Continuous integration requires lint, static analysis, security audit of dependencies (composer audit) and execution of the full test suite before merging to the main branch;
• Commit messages written or validated by the dev team, in the conventional commits format (feat:, fix:, chore:, etc.).

No artefact originating from an AI session reaches production unless this control chain has been respected in full. The speed of the development cycle does not stem from reduced controls, but from their automation and the tight coordination between the dev team and the executant tool.

The following categories of data are in no case submitted to third-party AI tools during development:

• User personal data (identifiers, emails, profile information, login data), encrypted at rest via the PHP Sodium extension and deterministic blind indexes;
• Infrastructure secrets: API tokens, encryption keys, database passwords, Mercure keys, OAuth secrets, certificates;
• The full content of reviews published by users and of replies by hosting providers;
• The content of private messages exchanged through the internal messaging system (host-to-host or host-to-sub-user);
• Commercial and technical information submitted in confidence by hosting providers claiming their listing as part of the verification process.

When a code excerpt must be shared with an AI tool for diagnosis, it is systematically sanitised of any real data it might contain. Synthetic data sets are used instead.

Any change in this respect will trigger:

• (i) explicit "AI-generated content" labelling compliant with Article 50 of Regulation (EU) 2024/1689;
• (ii) machine-readable marking in the content metadata, in line with the codes of practice adopted under the same regulation;
• (iii) an update of this policy and a new publication date.

Failure to comply with these obligations would expose the publisher to administrative fines of up to 15 million euros or 3% of its worldwide annual turnover (Article 99 of the Regulation).

Generative AI models may produce code suggestions that are textually or substantially similar to code used during their training. Such code may be subject to open-source licences carrying obligations (MIT, Apache 2.0, BSD, LGPL, GPL, AGPL, etc.).

To mitigate this risk, the publisher implements the following measures:

• Static analysis and dependency audit integrated into the continuous integration process (composer audit, PHPStan);
• Inventory of licences used by third-party libraries (versioned composer.lock file);
• Human review of any code excerpt suspected of being an unauthorised reproduction;
• Systematic inspection of the diff of every AI proposal before integration.

The publisher assumes full legal responsibility for the code deployed in production, including in relation to third parties holding intellectual property rights. That responsibility cannot be transferred to the executant tool.

This policy is reviewed at each substantial evolution of the development process and, at minimum, once a year. The last update date appears at the top of the page.

Any person who identifies on RackList content manifestly generated by AI and not disclosed as such, or who suspects an unauthorised reproduction of protected code, is invited to report the facts at:

Each report is acknowledged within two business days and subject to documented handling.