This document constitutes the formal Colorado Artificial Intelligence Act Risk Assessment ("Assessment") for the DriftPatrol service ("Service"), operated by Deer Track Design LLC ("Company," "we," "us"), a limited liability company organized under the laws of the State of Illinois with its principal place of business at Bloomington, Illinois.
Colorado Senate Bill 24-205, codified at C.R.S. §6-1-1701 through §6-1-1711 ("Colorado AI Act" or "Act"), imposes obligations on "developers" and "deployers" of "high-risk artificial intelligence systems." The Act became effective February 1, 2026 for high-risk AI systems.
The purpose of this Assessment is to:
This Assessment is available to Colorado-based customers, their legal counsel, and Colorado regulatory authorities upon written request to [email protected].
DriftPatrol is a B2B Software-as-a-Service platform that monitors designated web pages (typically legal, regulatory, agency, or court-rule pages) for content changes and delivers AI-generated plain-English summaries of those changes to subscriber organizations, primarily law firms, compliance teams, and legal-technology platforms.
The Service employs the following automated pipeline:
Customers are exclusively business entities (law firms, compliance departments, and legal-technology companies). DriftPatrol does not sell or market to individual consumers. As of the date of this Assessment, the Company has no customers physically located in the State of Colorado, though the Company's service is accessible to Colorado-based customers and the Company proactively maintains this Assessment in anticipation of Colorado customer relationships.
| Component | Provider | Role |
|---|---|---|
| Serverless compute | Cloudflare Workers | Crawl, diff, API orchestration, authentication |
| AI summarization | Anthropic, PBC — Claude API (Sonnet tier) | Natural-language summary of detected changes |
| Database | Cloudflare D1 (SQLite, AES-256 at rest) | Tenant data storage, audit logs, digest archive |
| Email delivery | Twilio SendGrid | Digest and alert delivery |
| Payments | Stripe, Inc. | Subscription billing |
The Colorado AI Act defines key terms at C.R.S. §6-1-1701. The following definitions are material to this Assessment:
| Statutory Term | Definition (Paraphrased) | Statutory Citation |
|---|---|---|
| Artificial intelligence system | A machine-based system that, for a given set of objectives, infers from the inputs it receives how to generate outputs such as predictions, content, recommendations, or decisions that can influence real or virtual environments. | §6-1-1701(1) |
| High-risk artificial intelligence system | An AI system that, when deployed, makes, or is a substantial factor in making, a "consequential decision" — meaning a decision that has a significant effect on a consumer's access to or the cost, terms, or availability of education, employment, financial/lending services, essential government services, healthcare, housing, insurance, or legal services. | §6-1-1701(6), §6-1-1701(3) |
| Consequential decision | A decision that has a significant effect on a "consumer" with respect to education, employment, financial/lending services, essential government services, healthcare, housing, insurance, or legal services. | §6-1-1701(3) |
| Consumer | A natural person who is a Colorado resident. | §6-1-1701(2) |
| Deployer | A person who deploys a high-risk AI system in Colorado in the ordinary course of operating a business. | §6-1-1701(4) |
| Developer | A person who creates, codes, produces, or substantially modifies a high-risk AI system for use or integration into a product or service. | §6-1-1701(5) |
For the purpose of completeness, the Company analyzes its role under both definitions:
After conducting the analysis set forth in Section 5 of this Assessment, Deer Track Design LLC has determined that the DriftPatrol service does not constitute a "high-risk artificial intelligence system" under C.R.S. §6-1-1701(6) of the Colorado Artificial Intelligence Act as of the date of this Assessment.
This determination is based on the analysis in Section 5. The primary bases for this determination are:
Note: This determination is made in good faith based on the Company's current service design and customer profile as of the version date of this Assessment. The Company commits to re-evaluating this determination upon any material change to the Service's functionality, the Act's implementing regulations (if any), or the Company's customer base. See Section 11 (Review Schedule).
The Act's "high-risk" designation requires, at its core, that the AI system make or substantially contribute to a "consequential decision" — defined as a decision with a significant effect on a consumer's access to or cost/terms/availability of enumerated services. The Company analyzes each element of this test below.
A "consequential decision" under §6-1-1701(3) is a decision that has a "significant effect" on a consumer with respect to one of the eight enumerated domains: education, employment, financial/lending services, essential government services, healthcare, housing, insurance, or legal services.
| Question | Analysis | Conclusion |
|---|---|---|
| Does the Service's AI output directly affect a consumer's access to legal services? | The Service delivers text summaries of regulatory webpage changes to law firms and compliance teams. The summaries inform the firm's attorneys; they do not grant or deny any individual access to legal services. A firm's decision to alter its service offering based on regulatory changes is made by licensed attorneys exercising professional judgment — not by the AI system. | No |
| Does the Service's AI output affect the cost or terms of legal services to a consumer? | The Service notifies attorneys of regulatory changes. Attorneys independently decide whether and how to respond, what advice to give clients, and whether to adjust fees. These are human professional judgments; the AI summary is one of many inputs (alongside court opinions, statutes, news, etc.) that inform those judgments. | No |
| Does the Service evaluate any individual's eligibility for anything? | The Service monitors web pages for content changes. It does not evaluate any individual person's profile, application, credit history, health information, employment record, or any other personal attribute. The AI model receives a webpage text diff as input; it has no knowledge of any individual consumer. | No |
| Is the AI output "a substantial factor" in any consequential decision? | The AI output is a plain-English description of webpage content changes. It is analogous to a research assistant's summary memo: one of many inputs into a professional's decision-making process. The attorney reviewing the digest exercises independent professional judgment under applicable Model Rules. The AI summary is not itself dispositive of any determination about any person. | No |
| Does the Service produce output that is acted upon by a consumer directly (without professional intermediation)? | No. The Service is a B2B product. Output is delivered exclusively to business-entity subscribers (law firms, compliance teams, legal-tech companies) and their professional employees. No output is ever delivered directly to an individual consumer (member of the public). Any effect on a consumer is mediated by the intervening professional judgment of a licensed attorney or compliance professional. | No |
The Act defines "consumer" as a natural person who is a Colorado resident. §6-1-1701(2). The Act's high-risk obligations are triggered when an AI system makes consequential decisions that affect such consumers.
DriftPatrol's direct contractual counterparties are business entities, not natural persons. While the Service is ultimately used by attorneys (natural persons), those attorneys are Authorized Users of a business subscriber. They are not "consumers" in the Act's sense — they are professional end-users of a B2B enterprise tool, deploying that tool in their professional capacity on behalf of their clients. The Act's legislative history and regulatory commentary make clear that the "consumer" protection framework is aimed at AI systems that make decisions about individuals as subjects of the AI's analysis, not systems used by professionals as informational aids.
The Act's implementing guidance and the FTC's analogous framework identify paradigmatic high-risk AI systems: automated credit-scoring, resume screening, insurance underwriting models, healthcare triage AI, tenant screening algorithms, and student academic-performance classification. DriftPatrol bears no functional resemblance to any of these:
Even assuming arguendo that the Service's output could influence a decision that ultimately affects a consumer (e.g., an attorney, informed in part by a DriftPatrol digest, adjusts her legal strategy for a client), the Service would not be a "substantial factor" in any consequential decision under any reasonable reading of that standard. The causal chain is:
Steps 3–6 constitute multiple layers of human professional judgment entirely independent of DriftPatrol's AI output. The AI summary is not a "substantial factor" in any consequential decision reached at step 6 under any causal standard the Company is aware of.
Based on the foregoing analysis, the Service does not meet the threshold of a "high-risk artificial intelligence system" under C.R.S. §6-1-1701(6). The Company is therefore not subject to the detailed impact assessment, bias testing, consumer notification, and opt-out obligations set forth in §6-1-1703 through §6-1-1706 of the Act.
Notwithstanding this determination, the Company voluntarily adopts and maintains the governance practices described in Sections 6–10 of this Assessment, which are consistent with the spirit of the Act and with the Company's obligations to its legal-professional customer base under ABA Formal Opinion 512 and analogous bar guidance.
The AI model receives, as input, the text content of publicly accessible web pages that have been designated by the Customer for monitoring. Specifically, the model receives a structured text representation of the difference between successive snapshots of a monitored page (a "diff"), together with a system prompt instructing it on summarization format.
The AI model does not receive:
The Company transmits crawled page content to Anthropic, PBC via the Anthropic Commercial API. Anthropic's published Commercial Terms commit to:
Anthropic holds SOC 2 Type II attestation and ISO/IEC 27001:2022 certification. See trust.anthropic.com.
AI-generated summaries (Digests) are stored in the Customer's tenant in DriftPatrol's Cloudflare D1 database (AES-256 encryption at rest, TLS 1.2+ in transit) for the duration of the subscription, plus a 90-day post-termination export window, followed by deletion within 90 days and backup purge within 12 months. Full retention schedule is in the DriftPatrol Data Processing Addendum, Section 3.
DriftPatrol does not fine-tune any AI model on Customer Data. DriftPatrol does not maintain any proprietary trained model. DriftPatrol does not export Customer Data to any third party for model training, evaluation, or benchmarking.
The Company has implemented the following structural, contractual, and technical mechanisms to ensure human review of AI output before any consequence attaches:
| Mechanism | Description | Where Documented |
|---|---|---|
| Mandatory disclaimer on every Digest | Every AI-generated digest carries a machine-readable and human-readable disclaimer stating: "Machine-generated summary of detected content changes. Verify against source before reliance. Not legal advice." This disclaimer is part of the email template and cannot be removed by Customers. | driftpatrol.app/disclaimer |
| Source link on every change | Every Digest includes a direct link to the monitored URL, enabling the recipient to read the primary source. The AI summary is explicitly positioned as a guide to the source, not a substitute for it. | Product design specification |
| Contractual human-review requirement | The Terms of Service and DPA explicitly require that Authorized Users review AI output before relying on it for any professional determination. Customers agree not to use output as a substitute for independent professional judgment. | Terms of Service, DPA Exhibit C |
| ABA 512 alignment documentation | The AI Governance page maps DriftPatrol's controls to each duty under ABA Formal Opinion 512, ensuring attorneys using the Service understand their independent supervisory obligations. | driftpatrol.app/ai-governance §4 |
| Full audit trail | Customers can export a complete audit trail of every monitored URL, every snapshot, every diff, every AI summary (with model version recorded), and every digest delivery. This enables supervisory review at every step. | AI Governance §9 |
| Model version notification | The Company provides at least 14 days' advance notice before any material change to the AI model version used in production, allowing Customers to reassess their reliance posture. | AI Governance §7 |
The AI model performs a single, narrow, well-defined task: summarize the textual changes detected between two versions of a publicly accessible web page. This is a low-ambiguity, content-neutral task. The model is not classifying people, predicting behavior, or making recommendations about individuals. The concept of demographic bias — the primary concern animating the Colorado AI Act's high-risk provisions — is not applicable to this task.
| Known Risk | Description | Mitigation |
|---|---|---|
| Hallucination | The model may occasionally generate plausible but incorrect characterizations of changes, particularly for complex legal syntax, unusual document structures, or low-frequency vocabulary. | Mandatory human review; source link on every Digest; disclaimer on every output; Customer obligation to verify. |
| Over-summarization | The model may omit nuance present in the original change, particularly for lengthy or highly technical regulatory amendments. | Source link enables direct primary-source verification; Digests explicitly labeled as summaries, not primary authority. |
| Soft 404 / template false positives | A page returning HTTP 200 with "content moved" boilerplate can generate a false-positive material-change alert. | System flags and de-emphasizes common template patterns; Customer is notified and can dismiss false positives. |
| Model version drift | Summary style or emphasis may shift across Anthropic model versions, causing apparent changes in tone or focus that are not attributable to the underlying regulatory content. | Model version recorded per digest; 14-day advance notice of model changes; audit log enables retrospective comparison. |
| JavaScript-rendered content | Pages that render content via JavaScript may not be fully captured by the static crawler. | Disclosed limitation; headless-browser rendering available on Professional+ tier; Customer advised to test monitoring fidelity on dynamic pages. |
The Service does not intake any data about individual people. No input to the AI model contains demographic attributes (race, gender, age, national origin, disability status, or any other protected characteristic). The AI model has no basis on which to apply differential treatment based on demographic characteristics. Accordingly, the demographic bias risks that animate the Colorado AI Act's high-risk provisions — disparate impact on protected classes in consequential decisions — are not materially applicable to this Service.
The Company monitors AI output quality through customer feedback channels, manual sampling of Digest quality, and review of customer-reported errors. The Company commits to reporting material accuracy issues to affected Customers within a commercially reasonable time and updating this Assessment if any accuracy issue warrants revision of the risk classification determination.
The following disclosures are made to all Customers prior to and during their use of the Service:
Every Digest delivered to an Authorized User carries:
Because the Company has determined that the Service is not a high-risk AI system, the consumer notification obligations of §6-1-1703(7)(b) (which require that deployers notify consumers when they are subject to a consequential decision made by a high-risk AI system) are not applicable. However, the Company's standard transparency disclosures (Sections 9.1 and 9.2) provide substantively equivalent notice to the business subscribers and their authorized users who interact with the Service.
If the Company's future customer base includes entities that use the Service in a manner that could produce output affecting Colorado consumers (as defined by the Act), the Company will reassess this position and implement any required consumer-facing disclosures at that time.
Pursuant to the Colorado AI Act's principles regarding developer obligations, and as part of the Company's own vendor due diligence, the Company has assessed Anthropic, PBC as its primary AI subprocessor:
| Assessment Factor | Anthropic, PBC — Assessment |
|---|---|
| Compliance certifications | SOC 2 Type II; ISO/IEC 27001:2022; GDPR Article 28 Data Processor. Attestations available at trust.anthropic.com. |
| Training data exclusion | Anthropic's Commercial Terms explicitly commit that data submitted via the Commercial API is not used to train models. Confirmed as of the version date of this Assessment. |
| Data retention | Zero-retention by default for Commercial API submissions beyond inference processing and abuse-detection window. |
| Published model card / known limitations | Anthropic publishes model cards, safety documentation, and Constitutional AI alignment disclosures at anthropic.com/research. Anthropic's "Responsible Scaling Policy" commits to ongoing safety evaluations. |
| Bias documentation | Anthropic publishes Claude's model card documenting bias evaluation methodology and known limitations. Anthropic conducts red-teaming and RLHF-based safety alignment. Model card available at anthropic.com. |
| Legal basis for data transfer | Anthropic is a U.S. entity (San Francisco, CA). Data transfer is U.S.-to-U.S. for the Company's current customer profile. For any future EU/UK customers, the Company relies on Anthropic's GDPR Article 28 Data Processor compliance and SCCs as applicable. |
| Contract / DPA in place | Yes. The Company operates under Anthropic's Commercial Terms of Service and Data Processing Agreement, which incorporate the foregoing commitments. |
| Version | Date | Change Summary | Next Review |
|---|---|---|---|
| 1.0 | May 2, 2026 | Initial Assessment. Not-high-risk determination. Full statutory analysis documented. | May 2, 2027 (annual) or upon material change |
The Company commits to conducting an interim review of this Assessment — and updating the version if warranted — upon any of the following events:
This Assessment is available to:
A signed PDF version of this Assessment, suitable for vendor-management files, procurement due diligence, and regulatory submissions, is available at no charge. Response within one business day.
The undersigned, on behalf of Deer Track Design LLC, certifies that the information set forth in this Colorado AI Act Risk Assessment is accurate and complete to the best of the Company's knowledge as of the version date, and that the Company has conducted a reasonable good-faith analysis of the applicable statutory framework.
| Field | Value |
|---|---|
| Entity | Deer Track Design LLC |
| Product | DriftPatrol (driftpatrol.app) |
| Jurisdiction of organization | State of Illinois |
| Principal place of business | Bloomington, Illinois |
| Contact for regulatory inquiries | [email protected] |
| Document version | 1.0 |
| Document effective date | May 2, 2026 |
| Next scheduled review | May 2, 2027 |
| Classification | Not a High-Risk AI System under C.R.S. §6-1-1701(6) |
Related documents: AI Governance & Vendor Posture · Data Processing Addendum (incl. Exhibit D) · Privacy Policy · Security Overview · Not Legal Advice Disclaimer
