Flex Applications AI policy - EU AI Act

The purpose of this policy

The purpose of this policy is to:

  • explain how our AI capabilities are intended to be used,

  • describe how we work to meet the relevant requirements of the AI Act

  • be transparent about how the AI features work, their limitations and what safeguards are in place.

Your rights

When you use our AI features, it should be clear that you are interacting with AI. You should also be able to get support if something goes wrong or is unclear.

In practice, this means that you can:

  • get information on when a feature uses AI and what it is intended for

  • get guidance on how to interpret results and when you should verify

  • contact us to report issues, get help or ask questions.

In the future, if an AI feature can suggest or initiate actions in Flex HRM, there should be clear human control before anything is executed.

What data do we process in our AI functions, how do we process it and why?

Flexie (chatbot)

Flexie is an AI assistant for users of Flex HRM. Currently, it acts as a support agent providing answers and guidance for use, configuration and troubleshooting.

Activity:
Answer questions and provide guidance on Flex HRM Payroll, Time, Plan, Employee, Pay Equity Compass and Travel via chat.

Objective:
Streamline support to users and help them find the right workflow and information faster.

How Flexie works (overall):
Flexie uses a Retrieval-Augmented Generation (RAG) architecture. This means that Flexie retrieves relevant information from approved sources (manuals, guides, and release notes) and generates answers based on these documents. Responses can include references and deep links to source material so that the user can check the information.

AI type:
Generative AI (LLM) with RAG.

Risk level and transparency:
Flexie is a chatbot/AI assistant where transparency is key.

  • Flexie is clearly labeled as an AI assistant.

  • Users are informed that answers are AI-generated and should be verified.

Human-in-the-loop control:
Flexie cannot make autonomous decisions or implement changes without user approval.

  • Planned "agentic" functions (e.g. registering absence or clocking in/out) should always require explicit user confirmation.
  • Any actions are limited by the user's existing permissions (role-based access).

Data that can be processed:

  • Text entered by the user to receive a response.

  • We recommend that users do not share sensitive personal data in free text fields unless explicitly required for the task.

Data location and customer separation:

  • Flexie (GPT 5.4) runs in Microsoft Azure, within the EU.

  • Logical separation is maintained via Tenant IDs.

Confidentiality and model training:

Customer data and prompts are not used to train or improve underlying base models.

Risk management and testing:

  • Internal AI assessment has been conducted.

  • Internal EU AI Act assessments have been conducted.

  • Pentest has been conducted within Visma.

Support and documentation:
Support for Flexie follows regular support for Flex HRM. Documentation and user support is provided via knowledge base.

SmartScan (receipt and document interpretation)

SmartScan is an AI-based service that automatically extracts and interprets information from receipt images and other documents linked to expenses and travel bills.

Activity:
Automatically read and suggest relevant information (e.g. date, amount and supplier) based on receipt images/documents.

Objective:
Streamline expense management by reducing manual entry, reducing errors and saving time.

How SmartScan works (overall):
SmartScan analyzes uploaded receipt images/documents and returns structured fields as suggestions. The user can check and, if necessary, correct the data before submitting the report.

AI type:
AI-based document analysis (image and text interpretation/OCR) and machine learning.

Risk level and transparency:
SmartScan is designed as a supporting function.

  • SmartScan should be clearly communicated as an AI function that makes automatic interpretations.
  • Extracted values should be considered as suggestions and may need verification/correction.
  • The function should not replace the user's verification of supporting documents.

Risk work and testing:

  • Internal AI assessment has been carried out.
  • Internal EU AI Act assessments have been carried out.

Human control (human-in-the-loop):
The user (and, if necessary, the authorizer) is responsible for reviewing and correcting data before it is stored or passed on in the process.

Data that can be processed:

  • Receipt images/documents uploaded by the user.
  • Expense and travel related data extracted or completed.

We recommend that users avoid uploading documents containing sensitive personal data unless explicitly required for the task.

Data location and subcontractors:
The **SmartScan** service is operated within the EU/EEA.

Storage and deletion:
Customer data is stored for a limited time and automatically deleted according to the deletion policy of the service (currently 365 days from receipt). Deletion can also be initiated earlier when needed.

Support and documentation:
Support for SmartScan follows regular Flex HRM support.

SmartDetect (discrepancy detection in payroll)

SmartDetect is a function in Flex HRM Payroll that helps payroll administrators to detect deviations in payroll documents and payments. The function is based on the underlying service PayrollDetect (Visma Resolve).

Activity:
Flags anomalous payroll entries and displays explanations/indicators to support review prior to payroll run going to payment.

Objective:
Reduce the risk of incorrect payments, streamline controls and strengthen the quality of the payroll process.

How SmartDetect works (overall):
Historical, approved payroll data is uploaded by customer/tenant. The service trains customer-specific machine learning models that learn normal patterns and calculate deviation scores for new/current payroll records. Results are presented as flags with explanations.

AI type:
Machine learning (anomaly detection/deviation identification) with customer-specific models.

Risk level and transparency:
SmartDetect is decision support. Flags are indicators and do not in themselves mean that something is wrong.

  • We show that results are AI-generated and should be verified.
  • Flags are used for prioritization of review - not as automatic decisions.

Risk work and testing:

  • Internal AI assessment has been conducted.
  • Internal EU AI Act assessments have been conducted.

Human control (human-in-the-loop):
SmartDetect is "human-led with automation support". This means that the user retains control and responsibility.

  • The payroll administrator reviews flags and decides on possible actions.
  • SmartDetect does not modify payroll payments or make decisions without human review.

Data that can be processed:

  • Anonymized payroll records and anonymized historical payroll data.

Data location and subcontractors:
SmartDetect is operated within the EU/EEA. Customer data is kept logically separated per tenant and not mixed between companies.

Confidentiality and model training:

  • Models are customer specific, i.e. trained and used for the current customer/tenant.
  • Data is used to deliver the service and for necessary troubleshooting/service improvement according to the provider's procedures.

Storage and deletion:
Customer data is stored for a limited time and automatically deleted according to the deletion policy of the service (currently 365 days from receipt). Deletion can also be initiated earlier when needed (e.g. upon termination of integration).

Support and documentation:
Support for SmartDetect follows regular Flex HRM support.

Security and privacy

The privacy and security of information that may be processed in our AI capabilities is important to us. Flex Applications therefore takes appropriate technical and organizational measures to protect information from unauthorized access, improper use or disclosure, unauthorized modification, and unlawful destruction or accidental loss.

Only individuals who need access to perform their job duties shall have access.

Transfer of data

Flex Applications may use technology suppliers and other Visma companies to assist with the operation and protection of our service environments.

Which data location applies is stated under the respective AI function. At the moment:

  • Flexie runs in Azure within the EU.
  • SmartScan is operated within the EU/EEA via Visma ML Assets (hosting provider: Google Cloud EMEA Ltd).
  • SmartDetect (based on PayrollDetect) is hosted in the EU/EEA via AWS (Ireland).

How to contact us?

If you have any questions about our AI features, this policy or how we work with the AI Act, you can contact us by:

  • Calling us on our switchboard +46 (0) 19 10 39 15; or
  • Sending a message to info@flexapplications.se

If the question concerns personal data, you can also contact GDPR@flexapplications.se.

Changes to this policy

Flex Applications will update this policy to reflect any changes in our AI capabilities and/or changes in applicable law.

This version of the policy is established on 2026-05-22.

Would you like to streamline payroll and HR management?

Flex Applications Sverige AB
+4619-10 39 15
info@flexapplications.se