Score your shortlist against the same 5 anchors
The interactive scorecard runs in the browser. Pass / partial / fail per question per vendor, instant verdict band, email PDF to your buying committee. No card, no gate.
Open the EU AI Act Vendor ScorecardWhat the five dimensions test
Every productivity vendor that produces an AI inference used in an employment decision — productivity scoring, idle classification routed to HR, ranking, shift allocation tied to compensation — sits inside Annex III of the EU AI Act. That triggers the full high-risk obligation stack from August 2, 2026. The scorecard below collapses the 14-question vendor framework into the five anchors that drive a buy / patch / replace decision.
- Annex III scope. Has the vendor named which of its AI inferences fall under Annex III — and which sit outside? Pass requires a written inference-by-inference mapping.
- Article 5 exposure. Does the product ship any feature in the Article 5 prohibition tier — emotion / affect inference, social-scoring, manipulative nudge? A single fail here is a halt regardless of other scores.
- Human oversight. Is there a documented oversight workflow with named roles, override authority, and a review cadence that is meaningful and not a rubber stamp?
- Deployer documentation. Does the vendor ship a deployer-ready transparency notice template, works-council briefing pack, and a 30-minute audit-trail export for any worker-affecting decision?
- Surveillance default. When the product is installed, are screenshot / keystroke / webcam capture surfaces switched on or off by default? Off by default = pass; configurable but on by default = partial.
Penalty bands for prohibited-AI violations run up to EUR 35 million or 7% of global turnover; other significant violations up to EUR 15 million or 3% — figures subject to revision in implementing regulations, verify with counsel for your jurisdiction.
The 7-vendor scorecard
| Vendor | Annex III scope | Article 5 exposure | Human oversight | Deployer docs | Surveillance default | Verdict |
|---|---|---|---|---|---|---|
| gStride | Pass | Pass | Pass | Pass | Pass | Ready |
| Toggl Track | Pass | Pass | Partial | Partial | Pass | Ready (with gaps) |
| Hubstaff | Partial | Pass | Partial | Partial | Fail | Patchable |
| Time Doctor | Partial | Pass | Partial | Partial | Fail | Patchable |
| ActivTrak | Partial | Pass | Pass | Partial | Partial | Patchable |
| Insightful | Partial | Partial | Fail | Fail | Fail | At-Risk |
| Teramind | Fail | Fail | Fail | Partial | Fail | Halt |
Per-vendor read
gStride — Ready
gStride was architected around the capture / inference split the AI Act effectively mandates. No emotion or affect inference, no social-scoring, AI framed as recommendation to a human rather than autonomous decision, surveillance capture surfaces shipped off by default. The deployer kit ships with the product — transparency notice template, works-council briefing, audit-trail export inside 30 minutes. Readiness statement and Annex III mapping documented on the solution page. Re-score quarterly.
Toggl Track — Ready with gaps
Toggl is a lean time tracker. Most of its product surface sits outside Annex III because it doesn't produce AI inferences used for employment decisions — manual or auto-timer plus reports, no scoring, no idle classification routed to HR. That collapses the Annex III and Article 5 exposure to a clean pass. Where it scores partial is the deployer kit: no published works-council pack and the human-oversight workflow is implicit rather than documented. For buyers using Toggl as a non-AI tracker, this is deployable; for buyers expecting AI features in 2027, re-score then.
Hubstaff — Patchable
Hubstaff's combination of screenshot capture plus activity scoring brings the product into Annex III for any deployment where the score informs an employment decision. Annex III mapping reads partial — some inferences are documented, others aren't. The bigger fix is the surveillance default: screenshots, app/URL tracking, and activity score are on by default per project rather than off until the deployer enables them. Move screenshot and activity capture off by default at the org level, ship a published Annex III mapping, and the verdict moves to Ready-with-gaps. Today, conditional deployment with a 30-day patch plan.
Time Doctor — Patchable
Time Doctor's pattern mirrors Hubstaff — screenshot plus productivity rating plus optional keystroke and web/app tracking. The Article 5 read is currently a pass because the explicit emotion-inference features are gated behind enterprise tier and off by default. Annex III mapping is partial: the productivity rating clearly sits inside Annex III for any HR-routed decision; the vendor has not published a complete inference inventory. Same surveillance-default issue as Hubstaff. Same patch path: org-level capture off by default, published mapping, documented oversight workflow.
ActivTrak — Patchable
ActivTrak occupies an interesting middle. The product is analytics-first — screenshot capture is optional and off by default in newer tenants, productivity classification is per-app rather than per-keystroke, and the platform has a stronger human-oversight surface than the screenshot-heavy peers. Annex III scope reads partial because productivity scoring still informs HR decisions in deployed accounts. Deployer kit reads partial — the transparency notice library exists but the works-council pack is not standardised. With a published Annex III mapping per inference and a complete deployer kit, this moves to Ready inside 60 days.
Insightful — At-Risk
Insightful (formerly Workpuls) ships screenshots, app/URL tracking, productivity score, and optional behavioral analytics. Annex III scope is partial only because the documentation hasn't caught up. Article 5 is partial because the behavioral analytics layer infers focus and disengagement signals from input cadence — that is materially adjacent to affect inference and needs a written exclusion to clear. Human oversight workflow and deployer kit are not standardised. The combination puts this in parallel-track territory: do not renew past July 2026 without a credible Q3 readiness plan from the vendor.
Teramind — Halt
Teramind ships features in standard tiers — behavioral analytics labeled as sentiment, productivity scoring tied to keystroke cadence, webcam-based anomaly detection, and DLP overlays — that are at material risk of falling inside Article 5 (emotion recognition in employment, manipulative AI, social-scoring) when used in an EU workplace. A vendor reframing these as wellbeing or risk does not change the classification. Article 5 is a prohibition tier, not a high-risk obligation tier — a single fail is a halt regardless of other scores. EU buyers should replace the vendor and build the migration plan now — August 2 is too close to drift.
Verdict bands — what to do at each
- Ready. Proceed to deployment with works-council briefing. Set a Q4 2026 re-review.
- Ready with gaps. Deploy if the gap is in the deployer kit, not the product. Close gaps inside the first 60 days.
- Patchable. Conditional deployment with a 30-day patch plan from the vendor. Hold renewal on patch completion. If the patch slips past July 1, parallel-track an alternate vendor.
- At-Risk. Parallel-track an alternate vendor today. Do not renew past July 2026 unless the provider gap closes with documented evidence.
- Halt. Replace the vendor. Build the migration plan now. If your deployment continues into August 2026 with a halt-grade vendor, the regulator reads your contract as informed consent to a prohibited feature.
Pull the per-vendor evidence file
Run the same 5 anchors plus 9 deeper questions against your shortlist. PDF lands in inbox in 90 minutes. No card.
Open the EU AI Act Vendor Scorecard Read the 14-question frameworkRelated reading
For the regulatory background, see EU AI Act & employee time tracking compliance for the prohibited-vs-high-risk split. The 14-question CISO framework is the long-form rubric this scorecard collapses. The GDPR-compliant monitoring piece covers the data-protection layer that sits beneath the AI Act. For the Article 5 swap pattern, see the alternative to keystroke tracking.
Frequently asked questions
Which productivity software vendors are EU AI Act compliant in 2026?
As of May 2026, no major productivity vendor has published a complete EU AI Act readiness statement covering Annex III mapping, Article 5 exclusions, conformity assessment route, EU database registration, and a deployer kit. Vendors that score closest to Ready in our 7-vendor scorecard are those whose products avoid Article 5 features (no emotion/affect inference, no social-scoring) and ship configurable surveillance defaults off — gStride scores Ready in this matrix; Toggl Track scores Ready-with-gaps because its lean tracker stays outside Annex III for most use cases. Hubstaff, Time Doctor, ActivTrak, Insightful, and Teramind each have at least one anchor that needs fixing before August 2, 2026.
What is the August 2, 2026 EU AI Act deadline?
August 2, 2026 is when high-risk-system obligations under Article 6 plus Annex III of the EU AI Act begin to apply to workplace AI that is already on the market. Productivity vendors that produce AI inferences used in employment decisions (productivity scoring, idle classification routed to HR, ranking, shift allocation tied to compensation) must have a conformity assessment, technical documentation, post-market monitoring, transparency design, human oversight architecture, logging, and EU database registration in place by that date. Verify the exact dates and staged enforcement timeline with counsel.
Are Hubstaff and Time Doctor EU AI Act compliant?
Both vendors are working toward compliance but neither has a published readiness statement we could score as a clean pass on all five dimensions as of May 2026. Hubstaff and Time Doctor share the same exposure pattern: screenshot capture plus activity scoring brings their products into Annex III for any deployment where the score informs an employment decision, and their default-on surveillance configuration is a deployer-side risk under Article 26. Each could move to Patchable status with documented per-role configuration, a published Annex III mapping, and a deployer kit. Verify current vendor posture against the linked scorecard tool.
Does Teramind fall under EU AI Act Article 5 prohibitions?
Teramind ships features in its standard tier — including behavioral analytics labeled as sentiment, productivity scoring tied to keystroke cadence, and webcam-based anomaly detection — that are at material risk of falling inside Article 5 (emotion recognition in employment, manipulative/deceptive AI, social-scoring) when used in an EU workplace. A vendor reframing these as wellbeing or risk does not change the classification. Article 5 is a prohibition tier, not a high-risk obligation tier — a single fail here is a halt verdict regardless of other scores. Verify current product configuration with counsel before any EU deployment.
What is the difference between Ready, Patchable, and At-Risk vendor verdicts?
Ready means pass on all five scorecard dimensions — no Article 5 features, clean Annex III mapping, documented human oversight workflow, deployer kit shipped, surveillance defaults off. Patchable means one or two partial scores on deployer-kit anchors (configurable defaults, oversight workflow) that the buyer can close inside 30 days post-purchase. At-Risk means Article 5 looks clean but three or more provider-side anchors are missing — the buyer needs to parallel-track an alternate vendor. Halt means any Article 5 fail, or fewer than half the anchors pass — replace the vendor. Use the 14-question scorecard for the per-vendor evidence record.
What documentation must a deployer of high-risk workplace AI publish under the EU AI Act?
Under Articles 13, 14, and 26 of the EU AI Act, a deployer of high-risk workplace AI must publish a transparency notice to affected workers and their representatives in advance of deployment, maintain a documented human oversight workflow naming the responsible person and the override path, retain the provider's technical documentation and conformity assessment, register the deployment in the EU AI database where applicable, run a Fundamental Rights Impact Assessment in public-sector contexts and increasingly in private-sector ones, and log operation per the post-market monitoring obligation. The deployer kit a vendor ships should make all six artefacts producible without legal-team rework. Verify specific obligations with counsel; implementing regulations are still being finalised.
If a vendor scores Patchable, what does a buyer do before August 2, 2026?
Three-step remediation. Step 1 — document the gap. Write down which of the five anchors is partial (usually deployer-kit, configurable defaults, or oversight workflow) and the evidence the vendor has shared. Step 2 — contract the fix. Add a contractual milestone to the purchase order or renewal naming the artefact, the responsible vendor contact, and the delivery date — most Patchable items close inside 30-60 days when contracted. Step 3 — parallel-track a Ready alternate. If the milestone slips past the buyer's internal August 2 cutoff (most buyers set this 30-60 days ahead of the regulatory date for safety margin), execute the alternate. The cost of a vendor swap is lower than the cost of running a Patchable vendor through August 2 with no contracted closure.
This article scores seven productivity software vendors against the EU AI Act as it applies to workplace AI vendor selection as of May 2026, ahead of the August 2, 2026 high-risk-system enforcement date. Vendor scores reflect product configuration and public documentation at time of writing; vendor postures change, and implementing regulations and guidance are still being finalised. Verify specific obligations, deadlines, conformity assessment routes, registration scope, penalty schedules, and current vendor evidence with legal counsel for your jurisdiction. The scorecard is a buyer aid, not legal advice.