Automated decisions and human oversight
Ultron runs autonomous agents that plan and act. When an agent does something that reaches outside your workspace or carries real consequence, the platform is built to put a human in control of the moment that matters. This page documents where automated processing happens, the design of the human approval gate, how that design supports your obligations under Article 22 of the GDPR, and the division of responsibility between you as controller and Ultron as processor. It is written to be relied on by a data protection officer assessing the platform.
Overview
- Autonomous planning
- Yes, drafting and planning run automatically
- Consequential actions
- Routed through a human approval gate
- Solely automated significant decisions
- Not made without a route to human intervention
- Human intervention
- Available at every point in a run
- Legal basis frame
- GDPR Article 22 and Articles 13 to 15
- Audit trail
- Every agent action logged with actor, action, target, time
- Contact
privacy@51ultron.com
Autonomy is the product. Autonomy without oversight is a liability. The platform resolves that tension by drawing a hard line between thinking and acting. Reasoning, drafting, planning, retrieval, and rendering run automatically because they are reversible and never leave your workspace. Actions with external effect are treated as decisions: they are surfaced for a human choice rather than executed silently. This page explains exactly where that line sits and what it means for compliance.
Definitions
| Term | Meaning |
|---|---|
| Automated decision | A decision reached by automated processing without meaningful human involvement in the decision itself |
| Solely automated | Made with no meaningful human assessment that can influence the outcome. A rubber-stamp is not meaningful involvement |
| Profiling | Automated processing of personal data to evaluate, analyse, or predict aspects of a person |
| Significant effect | A legal effect on a person, or a similarly significant effect, such as a hiring, credit, or access decision |
| Approval gate | The human-in-the-loop checkpoint that pauses a run before an action with external effect executes |
| External effect | An action that changes something outside your workspace or contacts a third party |
| Controller and processor | As defined in the GDPR. You are typically the controller; Ultron is your processor |
Two classes of activity
Every agent step falls into one of two classes, handled differently by design.
| Class | Examples | How it runs |
|---|---|---|
| Reversible, in-workspace | Drafting copy, building a plan, analysing data, retrieving from memory, rendering a canvas, scoring options | Runs automatically. Nothing leaves your workspace and anything can be discarded |
| External or consequential | Sending email, posting content, spending budget, writing to a connected system, contacting a third party, triggering an irreversible operation | Surfaced through the approval gate and held until a human decides |
The classification is by effect, not by how confident the model is. A high-confidence draft of an outreach email is still only a draft until a human releases it. The model's certainty never substitutes for the human decision on a step that leaves the building.
The approval gate
How it works
The human-in-the-loop approval gate is a first-class primitive in the platform, not a setting bolted on top. When an agent reaches a step that would have external effect, the run pauses, the proposed action is surfaced with its inputs and intended target, and it waits for an explicit decision. You approve, edit then approve, or reject. The technical mechanism of the pause, the persistence of the pause point, and how a run resumes are documented in the product docs under Human in the loop and Resume and approvals.
Run states at the gate
| State | Meaning |
|---|---|
| Proposed | The agent has prepared an action with external effect and paused |
| Awaiting decision | The action is shown to you and held; nothing has executed |
| Approved | You released the action; it executes and is logged |
| Edited and approved | You changed the inputs, then released the edited action |
| Rejected | You declined; the action does not execute and the agent re-plans or stops |
privacy@51ultron.com.Actions that require approval
The default classes of action that stop at the gate before executing.
| Action class | Example | Default |
|---|---|---|
| Outbound communication | Sending an email, posting to a channel, messaging a contact | Held for approval |
| Spend | Incurring a cost, placing an order, committing budget | Held for approval |
| Publishing | Posting content to a public surface or a connected destination | Held for approval |
| External writes | Creating or changing a record in a connected third-party system | Held for approval |
| Irreversible operations | Deleting external data, actions that cannot be undone | Held for approval |
| In-workspace work | Drafting, planning, analysis, retrieval, rendering | Runs automatically |
GDPR Article 22
The right
Article 22(1) of the GDPR gives a person the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning them or similarly significantly affects them. The right is engaged only where a decision is both solely automated and significant in effect.
How the platform supports it
The platform is designed so that an action with external effect does not execute on a solely automated basis: the approval gate inserts a meaningful human decision before the action runs, and that decision can change or stop the outcome. Used as designed, the consequential step is not solely automated, because a human assessment capable of influencing the outcome sits in front of it.
The exceptions and the safeguards
Article 22(2) permits solely automated significant decisions only where they are necessary for a contract, authorised by law, or based on explicit consent. Even then, Article 22(3) requires safeguards: at least the right to obtain human intervention, to express a point of view, and to contest the decision. If you choose to automate a significant decision end to end, you must rely on a valid exception and provide those safeguards to the affected person. The platform gives you the controls; the basis and the safeguards are your responsibility as controller.
Information about the logic
Articles 13(2)(f), 14(2)(g), and 15(1)(h) of the GDPR require that, where solely automated decision-making under Article 22 takes place, the controller provides meaningful information about the logic involved and the significance and envisaged consequences for the person. For workflows you build on Ultron, you are the controller and must provide that information. To help you, the platform records what inputs an agent used, what action it proposed, and the outcome, so you can describe the logic of a given decision in meaningful, non-technical terms to a person who asks.
Roles and responsibility
When you use Ultron to process the personal data of other people, you are the controller and Ultron is your processor under the Data Processing Addendum. You decide the purpose of a workflow and whether to automate a step end to end. You are responsible for the lawfulness of any decision you make with the agent's output, for relying on a valid Article 22 exception where you automate a significant decision, and for providing the required safeguards and information to the affected person. Ultron provides the oversight controls, the approval gate, and the audit trail that let you meet those duties.
Human intervention and contest
At any point in a run you can pause the agent, take over a step, edit a proposed action, or reject it before it executes. These are the means by which a human assessment enters the loop. Where you operate a workflow that affects other people, you should provide those people with a route to obtain human intervention, express a point of view, and contest a decision, as Article 22(3) requires. Data subjects whose personal data you process through Ultron should direct such requests to you as the controller; if a request reaches Ultron, it is forwarded to you as described in the Data Processing Addendum.
Reversal and remediation
Reversibility is the reason the gate sits where it does. Before an action executes, rejecting it leaves no external trace. After an action has executed, reversibility depends on the action: some can be undone, some cannot, which is why irreversible operations are held at the gate by default. If an action ran and you believe it was taken in error, contact us and a person will review the audit trail with you and help remediate where remediation is technically possible. We cannot unsend a delivered email, but we can help you understand exactly what happened and stop a pattern from repeating.
Audit trail
Every action an agent takes is recorded with the actor, the action, the target, and a timestamp, and is tied to a request id you can quote when you contact support. Proposed actions, approvals, edits, and rejections are recorded so the decision history of a run is reconstructable. Background jobs and tool calls are visible in the Background Jobs surface. The logging and monitoring controls behind this, including who can read the logs and how long they are kept, are documented on the Security page and the Privacy Policy.
Our own automated processing
Separately from the agents you run, Ultron applies automated processing to operate the service, for example anti-abuse and fraud signals on accounts. As stated in the Privacy Policy, we do not make decisions that produce legal effects on users solely by automated means: where an automated signal contributes to an account action that materially affects a user, a human reviews the outcome before the action is taken. For that processing Ultron is the controller and the Privacy Policy governs.
Relationship to the AI Act
The oversight design on this page also supports the human-oversight expectations of the EU AI Act for the uses to which it applies. Where your use of an agent falls into a high-risk category under the Act, additional obligations attach to you. Our reading of how the AI Act applies to the platform, and where your duties begin, is on the EU AI Act posture page.
Contact
Questions about automated processing, the approval gate, or Article 22 go to privacy@51ultron.com. The contractual framing of Ultron as your processor is in the Data Processing Addendum, and our own controller-side processing is in the Privacy Policy.