Regulation (EU) 2024/1689 — Practical Compliance Guidance for American Companies
Introduction: Why the EU AI Act Matters for US Businesses
On August 1, 2024, Regulation (EU) 2024/1689—commonly known as the EU AI Act—entered into force, marking a watershed moment in the global regulation of artificial intelligence. Modeled in part on the regulatory philosophy of the GDPR, the AI Act adopts a risk-based framework that imposes graduated obligations on those who develop, deploy, and use AI systems. Among the most broadly applicable of those obligations are the transparency requirements, which extend well beyond the EU’s borders and will directly affect countless American companies.
Transparency—the requirement to be open about when AI is being used, how it works, and what it does—sits at the ethical and practical heart of the AI Act. The European legislature proceeded from the conviction that individuals can only make meaningful choices, exercise their rights, and seek redress if they understand when and how artificial intelligence is shaping decisions about them. This principle infuses a wide range of the Act’s provisions, from specific disclosure rules for chatbots and deepfakes to detailed documentation obligations imposed on providers of high-risk AI systems and general-purpose AI models.
For US companies, the learning curve is significant. Many will already be familiar with domestic proposals such as the Blueprint for an AI Bill of Rights or various state-level initiatives, but the EU AI Act is of a different character: it is binding, enforceable law with substantial financial penalties. American businesses that offer products or services to European consumers, process European personal data, or provide AI-driven outputs that are used within the European Union cannot treat the AI Act as a distant foreign concern. This guide examines the transparency obligations in detail and provides practical direction for US businesses seeking to achieve and maintain compliance.
Extraterritorial Scope: When Does the EU AI Act Apply to US Companies?
Article 2 of the AI Act sets out its territorial scope, and its reach is deliberately broad. The Regulation applies to providers—those who develop or have AI systems developed and place them on the market or put them into service under their own name or trademark—regardless of where those providers are established, provided the AI system is placed on the EU market or put into service in the EU. It also applies to deployers of AI systems located within the EU and, critically, to providers and deployers established outside the EU where the output produced by an AI system is used in the EU.
The distinction between providers and deployers is fundamental to understanding which obligations fall on which entity. A provider is an entity that places an AI system on the market or puts it into service, whether as part of a commercial offering or otherwise. A deployer is an entity that uses an AI system under its authority for professional purposes. A US company that develops an AI-powered recruitment tool and licenses it to European HR departments is a provider. A US company that uses a European chatbot platform to provide customer service in Germany is a deployer. Both categories carry transparency obligations, though the specific requirements differ.
The “output used in the EU” limb is particularly significant. It captures situations where a US company’s AI system never physically operates in Europe but its outputs—a recommendation, a decision, a piece of generated content—are received or acted upon by a person in the EU. This means, for example, that a US company running a content generation platform whose European users receive AI-generated articles would likely fall within scope, even if all the AI infrastructure sits in American data centers.
Importantly, Article 2 carves out certain activities. AI systems developed or used exclusively for military, national security, or law enforcement purposes by public authorities in specific circumstances fall outside scope. Pure research and development activity is also excluded where AI systems are not yet placed on the market. US companies should nonetheless undertake a careful scoping analysis rather than assuming they fall within an exclusion: the available exemptions are narrower than they may initially appear.
The Risk-Based Framework: Where Transparency Obligations Fit
The AI Act organizes AI systems into a tiered risk architecture. At the apex are prohibited AI practices—systems whose risks are considered so severe that no legitimate use case can justify them. These include AI systems that deploy subliminal techniques to manipulate behavior, exploit vulnerabilities of specific groups, and enable real-time remote biometric identification in public spaces in most circumstances. These prohibitions became applicable from February 2, 2025.
Below prohibited practices sit high-risk AI systems, defined by reference to their use in specific high-stakes domains enumerated in Annex III. These include AI used in critical infrastructure management, education, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and the administration of justice. High-risk systems attract the most extensive set of obligations under the Act, including conformity assessments, technical documentation, logging, transparency requirements, human oversight, and registration in an EU database. These obligations apply from August 2, 2026, though a longer transition period applies to some existing high-risk systems.
A separate and increasingly commercially significant category is general-purpose AI (GPAI) models—large-scale foundation models trained on broad data and capable of performing a wide range of tasks. GPAI models attract their own bespoke transparency and documentation requirements, with heightened obligations for those considered to pose systemic risk. GPAI obligations became applicable from August 2, 2025.
Cutting across all of these tiers—and applicable to a much wider range of AI systems—are the transparency obligations contained primarily in Article 50. These obligations apply not only to high-risk systems and GPAI models but to a broad category of AI systems that interact with, or generate content likely to be encountered by, natural persons. For US businesses, Article 50 is often the first—and most immediately applicable—compliance challenge.
Article 50: Core Transparency Obligations for Specific AI Systems
Article 50 establishes what are sometimes called “light transparency” obligations because they are less burdensome than the full suite of high-risk requirements, but they are far from trivial. They fall into four principal categories.
AI Systems Interacting with Natural Persons
Article 50(1) requires providers of AI systems intended to interact directly with natural persons to ensure that those systems are designed and developed so that the persons concerned are informed they are interacting with an AI system. This disclosure must be made in a clear and distinguishable manner, prior to and at the outset of the interaction. The obligation targets the wide universe of conversational AI applications—including customer service chatbots, virtual assistants, AI-powered telephone response systems, and any other interface in which a human user might reasonably believe they are engaging with another human being.
There is, however, an important qualification: the disclosure obligation does not apply where the AI nature of the system is obvious from the context or circumstances of use. An automated telephone tree that every caller understands to be a machine, or an AI writing assistant integrated into a document-editing platform where users clearly know they are using software, would not trigger the disclosure requirement. But that exception must be applied cautiously. Regulators are likely to take a demanding view of what constitutes “obvious from context,” and US businesses should resist the temptation to read the exception broadly. When in doubt, disclosure is the safer course.
Where the AI system is used to provide legal, medical, financial, or other sensitive professional advice, the contextual disclosure argument becomes even harder to sustain. Even where a service is AI-powered, users interacting in high-stakes contexts often have a reasonable expectation that a human professional is available or involved. Companies operating in these sectors should treat Article 50(1) disclosure as mandatory in virtually all circumstances.
Emotion Recognition and Biometric Categorization Systems
Article 50(2) imposes specific disclosure obligations on deployers of two categories of AI system that raise particularly acute privacy and dignity concerns: emotion recognition systems, which infer or classify a person’s emotional state from physiological or behavioral signals such as facial expressions, voice, or body language; and biometric categorization systems, which classify individuals into groups based on their biometric data.
Deployers of such systems are required to inform the natural persons who are exposed to them that they are being subject to emotion recognition or biometric categorization. This must be done in an unambiguous manner before the system is deployed in a given context. The obligation applies to deployers, not only to providers—an important distinction for US companies that may be purchasing and integrating third-party AI components into their platforms or physical premises. If a US retailer deploys a European-market emotion recognition system at its stores in Germany, that retailer, as the deployer, bears this disclosure duty.
This provision intersects with the GDPR, which separately requires lawful basis and transparency notices for processing of biometric data, which constitutes a special category of personal data under Article 9 GDPR. US companies with EU operations should ensure that their AI compliance program is coordinated with their data protection compliance function, as these regimes overlap substantially but are not identical.
Synthetic Content and Deepfakes
Article 50(3) addresses the challenge of AI-generated synthetic media. Providers of AI systems that generate or manipulate image, audio, or video content that constitutes a deepfake—meaning content that bears a resemblance to existing persons, objects, places, or other entities or events and would falsely appear to a person to be authentic or truthful—must ensure that the content is marked in a machine-readable format and is detectable as artificially generated or manipulated. This is distinct from requiring a visible watermark or disclosure on the content itself, though visible disclosures may also be required by deployers.
Article 50(4) complements this by requiring deployers who use such AI systems to disclose to the persons exposed to the output that the content has been artificially generated or manipulated. This disclosure must be made clearly, in an appropriate manner, and before or at the time the content is first presented. The deployer obligation is separate from the provider’s machine-readable marking duty and ensures that human-facing disclosure accompanies the technical metadata requirement.
The AI Act provides a limited carve-out for content forming part of an evidently artistic, creative, satirical, or fictional work or program. Where such content falls within these categories, the disclosure obligation is more nuanced: it must not interfere with the display or enjoyment of the work but must still be made discernible to persons consuming the content. US companies operating in the media, entertainment, advertising, or marketing sectors need to assess each use case individually; blanket reliance on a creative exception is unlikely to withstand regulatory scrutiny.
AI-Generated Text in Matters of Public Interest
Article 50(5) introduces a disclosure obligation applicable specifically to AI systems generating text that is published with the purpose of informing the public on matters of general interest. Deployers of such systems must disclose that the text has been AI-generated. This provision is directed at news and current affairs publishing, political communication, and information services, and reflects the legislature’s concern about AI-generated disinformation and the erosion of trust in public discourse. For US media companies, publishers, and political communications agencies with European audiences, this provision is particularly salient.
Transparency Obligations for High-Risk AI Systems
For AI systems that qualify as high-risk under Annex III of the AI Act, the transparency obligations are considerably more extensive than those under Article 50 alone. High-risk systems must satisfy multiple transparency-related requirements as part of the broader conformity assessment process.
Technical Documentation
Article 11 requires providers of high-risk AI systems to draw up and maintain technical documentation before placing the system on the market or putting it into service. This documentation must be kept up to date and must contain all the information necessary to enable national competent authorities and notified bodies to assess the system’s compliance. Annex IV sets out its contents in detail, requiring information about the general description of the system, a detailed description of its elements and development process, information on training methodologies and datasets, the results of testing and validation, cybersecurity measures, and a declaration of conformity.
The documentation obligation is a form of structural transparency directed at regulators and the supply chain rather than at end users. For US providers seeking access to European markets with high-risk AI products—in areas such as employment screening, creditworthiness assessment, access to educational institutions, or medical device AI—building and maintaining compliant technical documentation is a foundational compliance investment.
Instructions for Use
Article 13 requires high-risk AI systems to be designed and developed to ensure that their operation is sufficiently transparent to enable deployers to understand the system’s outputs and use them appropriately. Providers must accompany high-risk AI systems with clear and adequate instructions for use. These instructions must include, among other matters, the identity and contact details of the provider, the system’s capabilities and limitations including the conditions under which it can be expected to perform reliably, the level of accuracy and the metrics used to measure it, any known and foreseeable risks to health, safety, and fundamental rights, the degree of human oversight required, and any technical measures or procedures necessary for safe deployment.
This is not a mere formality. The instructions for use are integral to the AI system as a regulated product and form part of the conformity assessment record. They are also the primary mechanism by which deployers—who may have no insight into the system’s internal workings—can satisfy their own obligations under the Act, including the duty to conduct a fundamental rights impact assessment for certain high-risk deployments.
Logging, Record-Keeping, and Audit Trails
Article 12 requires high-risk AI systems to have logging capabilities built in by design. These automatic logs must enable a level of traceability of the system’s functioning throughout its lifecycle appropriate to the risks it poses. The logs must capture, at a minimum, information identifying the system and the version used, the date and time of each use, and—critically—any events that constitute or may constitute a risk to fundamental rights or health and safety during the course of operation. Deployers of high-risk systems are required under Article 26 to retain these logs for a period consistent with applicable legal obligations, and national sectoral rules may extend this period.
The logging requirement has an important transparency dimension for affected persons. In contexts where high-risk AI is used to make or assist in decisions that affect individuals—such as automated rejection of a job application or an adverse credit assessment—the availability of reliable, tamper-resistant logs is the prerequisite for any subsequent exercise of rights by the individual, including rights of explanation, contestation, or redress under the GDPR or national law.
Transparency Towards Natural Persons
Article 50 applies to high-risk AI systems as to other AI systems, but deployers of high-risk systems also have specific transparency duties under Article 26. Where a high-risk AI system makes or assists in making decisions that produce legal or similarly significant effects on natural persons, those persons must be informed that they are subject to the use of the high-risk AI system. This right to information exists independently of GDPR rights and must be provided in clear and plain language. Deployers must also inform the persons concerned of the human oversight available and of the channels through which they may seek redress.
General-Purpose AI Models: A New Transparency Frontier
Among the most commercially significant provisions of the AI Act for US technology companies are those governing general-purpose AI (GPAI) models. Chapter V, which became applicable from August 2, 2025, establishes a distinct regime for large foundation models that are trained on vast datasets and are capable of performing a wide range of tasks across multiple domains. This category encompasses the large language models, multimodal models, and text-to-image systems developed by leading American AI laboratories and deployed via APIs across global markets.
Article 53 sets out the baseline transparency obligations for GPAI model providers. They must draw up and maintain technical documentation sufficient to enable the European AI Office—a new supervisory body established within the European Commission—to assess compliance. This documentation must include information about the model architecture, training methodologies, the size of the training dataset and the categories of data it contains, the computational resources used, the model’s capabilities and limitations, and any measures taken to identify and mitigate foreseeable risks including risks to health, safety, and fundamental rights.
Providers of GPAI models are also subject to a transparency obligation toward downstream providers who integrate their models into their own AI systems or products. They must provide to those downstream providers information about the model’s capabilities and limitations in a manner that enables them to comply with their own obligations under the AI Act. This creates a transparency chain running from the foundation model developer down through the value chain to the ultimate deployer. US companies that provide foundation model APIs to European customers bear explicit duties to enable those customers’ compliance.
An additional obligation under Article 53 requires GPAI model providers to have in place a policy to respect intellectual property rights under EU law, and to publish a sufficiently detailed summary of the content used for training. This training data transparency requirement has proven one of the more contested provisions among GPAI developers, and the AI Office is expected to issue guidance specifying the required content and format of these summaries.
GPAI Models with Systemic Risk
Where a GPAI model is assessed to pose systemic risk—a designation triggered in the first instance by models trained using a cumulative amount of compute exceeding 10^25 floating-point operations (FLOPs), though the Commission may modify this threshold—Article 55 imposes additional transparency obligations. Providers of such models must perform and document adversarial testing, report serious incidents and corrective measures to the AI Office, ensure an adequate level of cybersecurity protection, and conduct post-market monitoring of their models’ effects. The systemic risk designation effectively treats these models as critical AI infrastructure warranting ongoing regulatory scrutiny.
Several of the major US AI developers have models that already meet or approach the systemic risk threshold. For those companies, the GPAI obligations under the AI Act are not peripheral compliance matters but core operational requirements that must be embedded into model development and release processes.
Prohibited Practices with Transparency Dimensions
The prohibitions set out in Article 5, which became applicable from February 2, 2025, are structurally distinct from the transparency obligations but are closely related to them in purpose. Several of the prohibited practices are, at their core, the antithesis of transparency.
Article 5(1)(a) prohibits AI systems that deploy subliminal techniques operating below the threshold of human consciousness, or that use deliberately manipulative or deceptive techniques, with the objective or effect of distorting the behavior of a natural person in a way that causes or is reasonably likely to cause significant harm. This prohibition captures AI-driven dark patterns—design techniques that exploit cognitive biases to nudge users into decisions they would not otherwise make—when those patterns operate through covert mechanisms. A US company running an AI system that dynamically adjusts its persuasive messaging based on inferred psychological vulnerabilities without user awareness would risk falling within this prohibition.
Article 5(1)(b) similarly prohibits AI systems that exploit vulnerabilities of specific groups of persons—due to their age, disability, or social or economic situation—in a manner that causes or is reasonably likely to cause significant harm. Both prohibitions reflect the principle that AI should not be used to subvert or undermine individuals’ rational agency, a principle that undergirds the entire transparency framework.
Technical Standards, Codes of Practice, and Implementation Guidance
The AI Act creates a layered implementation framework that will be filled in over time by harmonized technical standards, codes of practice, and regulatory guidance. The European Committee for Standardization (CEN) and the European Committee for Electrotechnical Standardization (CENELEC) have been mandated to develop harmonized standards for aspects of the Act including transparency and explainability. Compliance with these standards, once published, will give rise to a presumption of conformity with the corresponding provisions of the Act.
For GPAI providers, the AI Office has led a code of practice development process involving significant industry engagement. The codes of practice, while technically voluntary where harmonized standards exist, are expected to represent the de facto compliance standard for GPAI model obligations, including transparency and documentation requirements. US AI companies that participate constructively in this process, and align their practices with the resulting codes, will be better positioned for regulatory scrutiny.
US businesses should also monitor guidance from the AI Office and from national competent authorities in key EU member states, particularly those with significant technology regulatory capacity such as France (CNIL and ANSSI), Germany (BNetzA and BSI), and the Netherlands. As with GDPR enforcement, national variations in supervisory approach are likely to emerge, and businesses with significant operations in specific member states should develop relationships with the relevant authorities early.
Enforcement: Penalties and Supervisory Architecture
The financial penalties available under the AI Act are substantial and are structured to reflect the relative severity of different violations. Infringement of the prohibited AI practices provisions attracts the highest penalties: up to €35 million or, if the offender is an undertaking, up to 7% of total worldwide annual turnover in the preceding financial year, whichever is higher. Violations of most other obligations, including the transparency provisions of Article 50, the high-risk system requirements, and the GPAI obligations, carry penalties of up to €15 million or 3% of worldwide annual turnover. Providing false or misleading information to competent authorities carries penalties of up to €7.5 million or 1.5% of worldwide turnover.
For SMEs and startups, the Act provides that penalties should be proportionate to their economic circumstances, and the percentages rather than fixed monetary thresholds will apply to ensure proportionality. However, for large US technology companies with substantial global revenues, even 3% of worldwide turnover represents a potentially enormous sanction.
Enforcement authority is divided between member state authorities and the European AI Office. Each member state is required to designate one or more national competent authorities to supervise and enforce the AI Act within its jurisdiction, at least one of which must be a market surveillance authority. The AI Office has primary supervisory competence over GPAI model providers and also coordinates enforcement across member states. This dual-track enforcement architecture mirrors the GDPR’s lead supervisory authority mechanism, and many of the practical lessons learned from GDPR enforcement—about the importance of engaging early with supervisory authorities, maintaining robust records, and responding promptly to regulatory inquiries—apply with equal force here.
Compliance Timeline: Key Dates for US Businesses
The AI Act’s phased implementation schedule means that the compliance demands on US businesses intensify over time. Businesses should understand these key dates and plan their compliance investments accordingly.
August 1, 2024 marked entry into force, triggering the beginning of all transitional periods. February 2, 2025 was the date on which the prohibited AI practices provisions became applicable. This was the earliest binding obligation under the Act, and any company with AI systems that could fall within the prohibition on subliminal manipulation, exploitation of vulnerable groups, or other prohibited practices was required to have assessed and remediated its systems by that date.
August 2, 2025 brought the GPAI model obligations into force, alongside the provisions on governance, the establishment of the AI Office, and the designation of national competent authorities. US foundation model providers were required to have their technical documentation, policy on intellectual property, and information-sharing arrangements with downstream providers in place by this date.
August 2, 2026 is the primary compliance deadline for the full range of high-risk AI system obligations, including the Article 50 transparency requirements as they apply to all AI systems within scope. This date also marks the applicability of obligations on deployers, including registration requirements and fundamental rights impact assessments for certain deployments. Companies placing high-risk AI systems on the EU market must have completed their conformity assessments, registered in the EU database, and ensured their documentation and instructions for use are compliant before this date.
A longer transition period until August 2, 2027 applies to existing high-risk AI systems that are already on the market and that were covered by pre-existing EU harmonization legislation. Companies relying on this extended period should note that it does not suspend all obligations: any significant modification of an existing system may cause it to fall outside the transitional protection.
Building a Transparency Compliance Program: Practical Steps for US Businesses
Given the complexity and breadth of the AI Act’s transparency obligations, US businesses that use, develop, or integrate AI systems with any European dimension should approach compliance as a structured program rather than a checklist exercise. The following steps provide a practical framework for building such a program.
The starting point is an AI inventory: a comprehensive audit of all AI systems used or provided by the organization that may be within scope of the AI Act. This inventory should map each system against the Act’s risk categories, identify whether the company is acting as provider, deployer, or both in respect of each system, and record the datasets and purposes associated with each system. Many US companies will be surprised by the breadth of their AI footprint: AI is embedded in customer service tools, HR platforms, marketing analytics, fraud detection, security systems, and numerous other business functions that may touch European markets or European data subjects.
Once the inventory is complete, companies should conduct a gap analysis against the applicable transparency requirements. For systems subject to Article 50, this means reviewing whether adequate disclosures are made to users at the point of interaction with chatbots or other AI-driven interfaces, whether emotion recognition and biometric systems carry appropriate notices, and whether AI-generated content is properly identified and marked. For high-risk systems, the gap analysis should assess the adequacy of technical documentation, instructions for use, and logging infrastructure. For GPAI model providers, the analysis should cover the technical documentation, training data summaries, and information-sharing obligations toward downstream providers.
Disclosure mechanisms require specific design attention. Article 50 requires that disclosures be made in a clear and distinguishable manner, and the timing, form, and language of such disclosures must be suitable for the audience and context. Legal notices buried in terms and conditions or displayed only after an interaction has commenced are unlikely to satisfy the requirement. Businesses should work with their legal, product, and UX teams to develop disclosure approaches that are conspicuous, comprehensible, and delivered at the right moment in the user journey.
Supplier and vendor management is another critical dimension. US companies that rely on third-party AI tools, APIs, or platforms must understand the allocation of obligations in their supply chain. Where a US company deploys a third-party AI system in an EU context, it may bear deployer obligations regardless of what the provider has or has not done. Contracts with AI vendors should allocate transparency-related responsibilities clearly, ensure that providers furnish the documentation and information needed for the deployer’s compliance, and provide for notification of any changes to the AI system that could affect the deployer’s compliance status.
Staff training and internal governance round out an effective compliance program. Employees who interact with AI systems in the course of their work, and managers who commission or oversee AI-driven processes, should understand the basic principles of the AI Act and the company’s obligations. A designated AI compliance function—whether a dedicated officer, a committee, or a cross-functional working group—should be responsible for monitoring regulatory developments, updating the AI inventory, and managing compliance across the organization. Given the AI Act’s close relationship with the GDPR and other EU digital regulation, there is significant benefit to integrating AI governance into the broader data protection and digital compliance function.
The Relationship Between the AI Act and Other EU Law
The AI Act does not operate in isolation. It forms part of a broader EU digital regulatory ecosystem, and its transparency obligations interact with and sometimes reinforce obligations arising under other instruments. US businesses must map these interactions carefully to develop a coherent, integrated compliance approach.
The GDPR is the most significant co-existing framework. When AI systems process personal data—which will be the case for the vast majority of consumer-facing AI applications—the GDPR’s transparency obligations apply alongside those of the AI Act. Under Articles 13 and 14 GDPR, data subjects must be informed of the existence of automated decision-making, including profiling, and must receive meaningful information about the logic involved and the significance and envisaged consequences for the data subject. The AI Act’s transparency requirements do not replace these GDPR obligations but layer on top of them, with the result that the combined disclosure burden is more extensive than either framework alone would require.
The Digital Services Act (DSA) introduces transparency obligations for online platforms regarding recommender systems, including requirements to explain the main parameters used in recommendation algorithms and to offer users options to modify or influence those parameters. For US companies operating large online platforms with EU users, the DSA and AI Act transparency obligations may both apply to the same AI-driven recommendation system, creating a need to ensure both sets of requirements are satisfied through a coherent user communication strategy.
Sector-specific EU law also interacts with the AI Act in important ways. AI used in medical devices, machinery, civil aviation, and financial services is subject to existing EU regulatory frameworks, and the AI Act is designed to operate in parallel with those frameworks rather than to supersede them. For US companies operating in these regulated sectors, understanding the interface between the AI Act and the relevant sector regulation is essential to determining the applicable conformity assessment route and the precise scope of transparency and documentation obligations.
How We Can Help
Our data protection and technology law practice has deep expertise in EU digital regulation, including the GDPR, the DSA, and the AI Act. We advise US companies across sectors—technology, financial services, healthcare, media, retail, and manufacturing—on their EU compliance obligations, with particular strength in cross-border matters that require an integrated understanding of US and European law.
We offer a range of services tailored to the needs of US businesses navigating AI Act compliance, including: scoping assessments to determine whether and how the AI Act applies to your operations; AI inventory and risk classification projects; gap analysis and compliance roadmaps; drafting and reviewing technical documentation, instructions for use, and AI disclosures; advising on GPAI model obligations and code of practice engagement; negotiating and reviewing AI vendor and supplier contracts; advising on the interface between the AI Act, the GDPR, and other applicable EU law; and regulatory engagement support where required.
The EU AI Act represents a significant compliance challenge but also a commercial opportunity. Companies that invest early in transparency—in building AI systems that people can understand and trust—will be better positioned not only to satisfy regulators but to differentiate themselves in markets where customers and partners increasingly demand accountable AI. We are ready to help you build that foundation.