E-commerce
July 4, 2026
The customer asks the chatbot: "Show me your CE certificate" or "Is this product REACH-compliant?" A good response reassures and shares a validated PDF. A bad response invents a certificate number, confuses GOTS yarn vs. finished product scope, or guarantees a compliance that the brand cannot prove.
The product compliance AI chatbot must display only documented proof, cite the exact scope, refuse to interpret the law, and escalate as soon as a document is missing or a dispute arises.
This guide #336 covers intents, guardrails, RAG COMP-DOC, and bot escalations. It complements compliance support (#335) (human method) with the responsible AI automation angle in a sensitive area. Distinct from traceability bot (#312) (lots, DPP) and regulated (#119) (health claims).
Summary
Why is product compliance a high-risk AI use case?
Automating WISMO is relatively safe: tracking API, fixed return policy. Automating compliance is less so: a false CE declaration commits the brand towards a pro customer, a marketplace, or an authority.
Three bot compliance risks
Certificate hallucination: invented number or PDF
Wrong scope: factory certificate presented as SKU proof
Legal overpromise: "100% REACH compliant" without testing
Swept AI points out that in customer support, hallucinations often manifest as invented policies or specs, stated with confidence (Swept AI, hallucination prevention 2026).
Angle #336
New sensitive B2B/DTC AI use case: displaying compliance proofs without creating risk. #335 sets up COMP-DOC and human macros. #336 implements the bot: intents, RAG, guardrails, audit.
NHIM recommends treating customer-facing AI as a governed business interface, with a separation between saying vs doing (NHIM, AI governance 2026).
DTC Example
Electronics accessory brand, generalist bot answers "yes CE" on unmarked charger. Pro customer blocks 12,000 € wholesale order. After COMP mode: bot cites DoC or comp_unknown. Dispute avoided, certificate response time reduced from 36 h to 3 min.
How does it differ from compliance support (#335) and traceability (#312)?
Four neighboring contents, four bot data perimeters.
Compliance support (#335)
Guide #335: COMP-DOC, COMP macros, MAY/ESCALATE agents. The #336 automates with strict RAG and dedicated intents.
Bot traceability (#312)
Traceability (#312): batches, DPP, recall, origin. The #336: standards certificates (CE, REACH, GOTS), not batch lookup.
Governance (#142) and hallucinations (#123)
Governance (#142): global RACI framework. Hallucinations (#123): general RAG technique. The #336 applies these principles to the compliance domain.
#336 Promise
COMP-BOT-INTENT taxonomy, COMP-DISPLAY matrix, COMP-BOT-01 prompt, confidence thresholds, comp_handoff escalation, monthly audit KPIs.
When to activate COMP mode
As soon as more than 15 tickets/month mention CE, certificate, or standard. Toy, electronics, children's textile, and furniture brands: high priority. Do not wait for a wholesale dispute to structure COMP-BOT.
Which COMP-BOT-INTENT taxonomy for the compliance chatbot?
The COMP-BOT-INTENT taxonomy classifies compliance requests before routing, response, or escalation.
12 compliance bot intents
comp_ce_marking: CE marking, applicable directivecomp_doc_link: public DoC link by SKUcomp_gpsr_contact: EU GPSR RP contact detailscomp_reach_substances: documented REACH declarationcomp_rohs_electronics: electronic RoHScomp_label_scope: GOTS, Oeko-Tex, license scopecomp_label_verify: verify public certificate numbercomp_b2b_pack: reseller zip foldercomp_safety_warning: approved text GPSR warningscomp_unknown: no public proofcomp_legal_interpret: immediate escalationcomp_handoff: dispute, counterfeiting, safety incident
Routing priority
comp_legal_interpret and comp_handoff: zero auto-response, human handoff. comp_unknown: honest template, no invented certificate. comp_b2b_pack: wholesale auth or verified pro email if zip is sensitive.
Customer keyword mapping
CE, compliance, certificate, standard, REACH, RoHS, GOTS, Oeko-Tex, DoC, declaration of conformity, GPSR, responsible person: trigger COMP classification before generic support intent. "Is it safe for baby?" without certificate: overlap #119 if health claim, COMP if EN 71 toy standard query.
Which COMP-DISPLAY matrix: what can the bot show?
The COMP-DISPLAY matrix defines, per compliance field, whether the bot can display it to the customer.
Three display tiers
Public tier: PDP, label icons, certificate link, GPSR text
Support tier: DoC PDF, customer share approved certificates
Never bot tier: complete lab reports, factory contacts, margin
Examples by intent
comp_ce_marking: Public tier + DoC Support tiercomp_label_scope: Public scope tier + license numbercomp_reach_substances: Support tier approved declaration only
Mandatory label scope rule
Each comp_label_scope response includes: "Certificate no. [X] covers [exact scope] according to license [registry link]." Never "GOTS certified" without scope.
Synchronize COMP-DISPLAY with COMP-DOC from guide #335.
Example matrix by children's textile SKU
Baby bodysuit SKU-442: Public tier = Oeko-Tex class I icon + PDP license number. Support tier = certificate PDF + COMP-442 paragraph. Never tier = supplier full lab report. Bot intent comp_label_scope reads Public + Support tiers, never the Never tier.
How do you connect the RAG to COMP-DOC without hallucination?
The RAG compliance chatbot only reads regulatory-validated sources, not the web or the LLM alone.
Authorized sources
Shopify Metafields
compliance.*by SKUCOMP-DOC chunks: approved COMP paragraph + PDF URL
GPSR warning texts validated by legal
COMP-GEN, COMP-CE-01 macros from #335
Forbidden sources
Free generation of certificate number
"Probably CE" inference without
compliance.cefieldBlog articles not validated for compliance
Previous customer conversations as a source
Retrieval-first guardrail
If COMP chunk is missing or retrieval score < threshold: comp_unknown intent, no creative completion. See hallucinations (#123).
Catalog sync
New SKU or certificate renewal: COMP-DOC update + metafields within 24 hours before bot intent activation. Train Shopify chatbot (#13).
Ideal COMP chunk structure
Each chunk: SKU, proof type, scope, validity date, PDF URL, approved supporting paragraph, last legal review. Chunk without validity date = corpus owner alert. Certificate renewal: immediate retrieval cache invalidation.
What are the prompt rules and system instructions for COMP-BOT-01?
The COMP-BOT-01 prompt governs the bot's compliance behavior.
System instructions (excerpt)
You answer product compliance questions solely using CONTEXT COMP.
You never guarantee absolute legal compliance or regulatory interpretation.
You always cite the certificate scope (finished product, yarn, factory).
If CONTEXT is empty: state that public proof is not available and suggest escalation.
You never generate certificate numbers, validity dates, or PDF links.
Legal questions or disputes: immediate comp_handoff intent.
Authorized bot formulations
"According to our approved product documentation…", "The available public certificate indicates…", "For a specific regulatory analysis, our team will get back to you."
Prohibited formulations
"Guaranteed compliant", "certified risk-free", "approved by the authorities" without source, "CE equivalent" on unmarked product.
See system instructions (#194).
Prompt tests before production
15 scenarios: missing CE, expired certificate, GOTS scope yarn only, UKCA interpretation request, counterfeiting dispute, wholesale pack, undocumented REACH substance. The bot must trigger comp_unknown or comp_handoff, never invent.
How to manage CE, GPSR and labels in bot answers?
Three families of questions account for 70% of COMP bot tickets.
CE Marking (comp_ce_marking + comp_doc_link)
If compliance.ce=true: cite directive, PDP marking photo, DoC link. If false or missing: "This reference is not listed with CE marking in our documentation. Here are the documented tests and standards: [list]." No implicit CE.
GPSR (comp_gpsr_contact)
Display EU RP name, address, email from metafield. GPSR reinforces online safety info since December 2024 (Sustalium, GPSR 2026).
GOTS / Oeko-Tex Labels (comp_label_scope)
License number, validity date, scope, public registry link + PDF if Tier support. "Organic" question without certificate: comp_unknown, no voluntary label substitution.
RoHS and electronics (comp_rohs_electronics)
The bot shares RoHS declaration by SKU family if documented. Electrical installation or network compatibility questions: escalation or referral to manual, no unapproved technical advice. Confusing US FCC and EU CE = comp_unknown on unsupported market.
Regulatory Overlap (#119)
Cosmetics health efficacy question: route to REG bot, not COMP. Oeko-Tex Class I baby certificate question: COMP.
Marketplace and Amazon MYC
The bot directs to the GPSR PDP page or B2B pack. It does not fill out the marketplace portal on behalf of the third-party seller. Intent comp_b2b_pack includes GPSR sheet if marketplace reseller.
When to escalate and what confidence thresholds to apply?
The compliance escalation bot protects the brand when the RAG is insufficient.
Immediate escalation (zero auto)
Request for legal interpretation or market compliance outside the documentation
Dispute over certificate authenticity or counterfeiting
Product safety incident reported
Customer threatens legal action or regulatory authority
Full non-public COA requested by professional
Retrieval confidence thresholds
> 92%: auto response with PDF link
85-92%: text response without link, offers human verification
< 85%: comp_unknown + 48h escalation
Context handoff
SKU, intent, retrieval score chunks, customer question, docs found or missing. See handoff (#12) and context transfer.
COMP shadow mode
Run COMP intents in shadow mode for 2 weeks: bot draft, agent validates before sending. Measure correction rate on CE and labels. Threshold: less than 5% corrections before going live.
How to automate the wholesale compliance pack without oversharing?
The comp_b2b_pack intent sends the reseller kit if criteria are met.
Auto conditions
Customer tag
wholesaleor qualification score #334 > 40Verified professional email domain
COMP-B2B zip pack up to date (< 90 d)
Bot pack content
DoC per requested SKU, label certificates, GPSR, marking photos. No Tier lab reports, never via bot. Expirable link 7 d if sensitive.
Otherwise
Compliance ops ticket within 48 h. Bot acknowledges receipt with SLA. wholesale (#144) link.
Zip link security
Signed URL, 7-day expiration, download log. No complete catalog pack on a simple unverified Gmail email. Align with wholesale routing (#334).
Which KPIs and audits for a reliable compliance bot?
Measuring bot compliance proves that it displays evidence without creating risk.
Essential KPIs
comp_resolution_rate: % of COMP intents resolved without escalation
comp_unknown_rate: must exist (cautious bot)
comp_escalation_rate: legal + handoff
comp_contradiction_audit: 0 bot vs PDP on sample
comp_pdf_click: certificate links opened
comp_b2b_pack_sent: auto wholesale packs
Monthly audit of 30 conversations
10 CE, 10 labels, 10 REACH/substances. Verify: correct PDF, scope mentioned, zero hallucination, escalation if document is missing. Correlate with bot audit (#143).
Legal loop
Regulatory manager validates quarterly sample. Kill switch on COMP intent in case of incident.
Weekly dashboard
Monday 15 min: comp_unknown_rate, top 3 SKUs without chunk, 1 legal review escalation. Correlate comp_pdf_click with wholesale conversion if tagged B2B.
How does Qstomy display compliance evidence without risk?
Qstomy deploys the compliance bot mode with RAG COMP-DOC, intent section 3 and guardrails COMP-BOT-01.
Key capabilities
12 COMP intents: CE, GPSR, REACH, labels, B2B pack
Strict RAG: metafields + COMP-DOC only
Scope label: automatic recall on finished product vs material
Confidence thresholds: auto, partial, unknown, handoff
Escalation: legal, dispute, missing doc
Wholesale Pack: auto zip if criteria #334 met
DTC encrypted scenario
Children's furniture brand, 62 COMP tickets/month, COMP-DOC 85 SKUs, generalist bot before COMP mode (3 CE hallucinations reported in 2 months).
After Qstomy COMP-BOT-01 + RAG metafields: 78% COMP tickets auto, certificate delay 2 min, comp_unknown 14% (caution), 0 PDP contradictions on 40-thread audit, legal escalations 100% handoff < 30 s, B2B auto pack 89% wholesale requests tagged.
Governance integration
COMP intent in say/do matrix #142: say = draft proof OK auto if RAG score OK; do = conditional B2B zip sending; never = legal interpretation, compliance dispute refund. Bot owner + legal sign off on COMP mode go live.
Explore AI support, Shopify, request a demo.
Which checklist should be launched before activating the compliance bot?
Bot compliance checklist (10 steps)
COMP-DOC #335 completed on top 50 SKUs
Shopify compliance Metafields per SKU
COMP-DISPLAY matrix tier public/support/never
Taxonomy of 12 COMP-BOT intents enabled
Prompt COMP-BOT-01 legally validated
Retrieval confidence thresholds configured
comp_unknown and comp_handoff templates
2-week shadow mode on COMP intents
Audit of 30 conversations before prod
Kill switch for COMP intent + monthly audit ritual
Simulate 15 section 6 scenarios before go-live
Train agents on comp_handoff and conversation takeover
In brief
#336 = bot compliance: proof yes, interpretation no
Strict RAG: COMP-DOC only
Scope label: always explicit
comp_unknown: better than a hallucination
Escalation: legal, dispute, missing doc
FAQ
Can the bot state that a product is CE compliant?
Yes, if the metafield and COMP-DOC confirm it, with a DoC link. Otherwise, comp_unknown.
Is a separate bot required for general support?
No. A multi-mode bot with COMP intents and dedicated guardrails is sufficient.
What should be done if the certificate expires tomorrow?
Disable the auto-link, return comp_unknown + renewal in progress message. Never present an expired certificate as valid.
Relationship with the EU AI Act?
Bot transparency + human supervision on escalations. See governance (#142).
Bot or human for complex REACH inquiries?
The bot quotes the approved statement. For translation/interpretation questions regarding unlisted substances: escalation.
Bot compliance incident playbook
If a customer reports an incorrect bot certificate: trigger the COMP intent kill switch, review 48 hours of SKU conversations, correct COMP-DOC, and return to shadow mode before reactivation. Document the post-mortem in the governance register #142.
Go further
Before enabling COMP mode, simulate 10 certificate questions on your at-risk SKUs: if the bot answers without a COMP-DOC chunk, correct the RAG before going live. A cautious compliance bot with comp_unknown is better than a confident, incorrect bot. Document every legal escalation to enrich COMP-DOC the following quarter. Bot caution protects the brand.

Enzo
July 4, 2026





