E-commerce

AI Chatbot and product compliance: showing proof without creating risk

AI Chatbot and product compliance: showing proof without creating risk

July 4, 2026

The customer asks the chatbot: "Show me your CE certificate" or "Is this product REACH-compliant?" A good response reassures and shares a validated PDF. A bad response invents a certificate number, confuses GOTS yarn vs. finished product scope, or guarantees a compliance that the brand cannot prove.

The product compliance AI chatbot must display only documented proof, cite the exact scope, refuse to interpret the law, and escalate as soon as a document is missing or a dispute arises.

This guide #336 covers intents, guardrails, RAG COMP-DOC, and bot escalations. It complements compliance support (#335) (human method) with the responsible AI automation angle in a sensitive area. Distinct from traceability bot (#312) (lots, DPP) and regulated (#119) (health claims).

Summary

Why is product compliance a high-risk AI use case?

Automating WISMO is relatively safe: tracking API, fixed return policy. Automating compliance is less so: a false CE declaration commits the brand towards a pro customer, a marketplace, or an authority.

Three bot compliance risks

  • Certificate hallucination: invented number or PDF

  • Wrong scope: factory certificate presented as SKU proof

  • Legal overpromise: "100% REACH compliant" without testing

Swept AI points out that in customer support, hallucinations often manifest as invented policies or specs, stated with confidence (Swept AI, hallucination prevention 2026).

Angle #336

New sensitive B2B/DTC AI use case: displaying compliance proofs without creating risk. #335 sets up COMP-DOC and human macros. #336 implements the bot: intents, RAG, guardrails, audit.

NHIM recommends treating customer-facing AI as a governed business interface, with a separation between saying vs doing (NHIM, AI governance 2026).

DTC Example

Electronics accessory brand, generalist bot answers "yes CE" on unmarked charger. Pro customer blocks 12,000 € wholesale order. After COMP mode: bot cites DoC or comp_unknown. Dispute avoided, certificate response time reduced from 36 h to 3 min.

How does it differ from compliance support (#335) and traceability (#312)?

Four neighboring contents, four bot data perimeters.

Compliance support (#335)

Guide #335: COMP-DOC, COMP macros, MAY/ESCALATE agents. The #336 automates with strict RAG and dedicated intents.

Bot traceability (#312)

Traceability (#312): batches, DPP, recall, origin. The #336: standards certificates (CE, REACH, GOTS), not batch lookup.

Governance (#142) and hallucinations (#123)

Governance (#142): global RACI framework. Hallucinations (#123): general RAG technique. The #336 applies these principles to the compliance domain.

#336 Promise

COMP-BOT-INTENT taxonomy, COMP-DISPLAY matrix, COMP-BOT-01 prompt, confidence thresholds, comp_handoff escalation, monthly audit KPIs.

When to activate COMP mode

As soon as more than 15 tickets/month mention CE, certificate, or standard. Toy, electronics, children's textile, and furniture brands: high priority. Do not wait for a wholesale dispute to structure COMP-BOT.

Which COMP-BOT-INTENT taxonomy for the compliance chatbot?

The COMP-BOT-INTENT taxonomy classifies compliance requests before routing, response, or escalation.

12 compliance bot intents

  • comp_ce_marking: CE marking, applicable directive

  • comp_doc_link: public DoC link by SKU

  • comp_gpsr_contact: EU GPSR RP contact details

  • comp_reach_substances: documented REACH declaration

  • comp_rohs_electronics: electronic RoHS

  • comp_label_scope: GOTS, Oeko-Tex, license scope

  • comp_label_verify: verify public certificate number

  • comp_b2b_pack: reseller zip folder

  • comp_safety_warning: approved text GPSR warnings

  • comp_unknown: no public proof

  • comp_legal_interpret: immediate escalation

  • comp_handoff: dispute, counterfeiting, safety incident

Routing priority

comp_legal_interpret and comp_handoff: zero auto-response, human handoff. comp_unknown: honest template, no invented certificate. comp_b2b_pack: wholesale auth or verified pro email if zip is sensitive.

Customer keyword mapping

CE, compliance, certificate, standard, REACH, RoHS, GOTS, Oeko-Tex, DoC, declaration of conformity, GPSR, responsible person: trigger COMP classification before generic support intent. "Is it safe for baby?" without certificate: overlap #119 if health claim, COMP if EN 71 toy standard query.

Which COMP-DISPLAY matrix: what can the bot show?

The COMP-DISPLAY matrix defines, per compliance field, whether the bot can display it to the customer.

Three display tiers

  • Public tier: PDP, label icons, certificate link, GPSR text

  • Support tier: DoC PDF, customer share approved certificates

  • Never bot tier: complete lab reports, factory contacts, margin

Examples by intent

  • comp_ce_marking: Public tier + DoC Support tier

  • comp_label_scope: Public scope tier + license number

  • comp_reach_substances: Support tier approved declaration only

Mandatory label scope rule

Each comp_label_scope response includes: "Certificate no. [X] covers [exact scope] according to license [registry link]." Never "GOTS certified" without scope.

Synchronize COMP-DISPLAY with COMP-DOC from guide #335.

Example matrix by children's textile SKU

Baby bodysuit SKU-442: Public tier = Oeko-Tex class I icon + PDP license number. Support tier = certificate PDF + COMP-442 paragraph. Never tier = supplier full lab report. Bot intent comp_label_scope reads Public + Support tiers, never the Never tier.

How do you connect the RAG to COMP-DOC without hallucination?

The RAG compliance chatbot only reads regulatory-validated sources, not the web or the LLM alone.

Authorized sources

  • Shopify Metafields compliance.* by SKU

  • COMP-DOC chunks: approved COMP paragraph + PDF URL

  • GPSR warning texts validated by legal

  • COMP-GEN, COMP-CE-01 macros from #335

Forbidden sources

  • Free generation of certificate number

  • "Probably CE" inference without compliance.ce field

  • Blog articles not validated for compliance

  • Previous customer conversations as a source

Retrieval-first guardrail

If COMP chunk is missing or retrieval score < threshold: comp_unknown intent, no creative completion. See hallucinations (#123).

Catalog sync

New SKU or certificate renewal: COMP-DOC update + metafields within 24 hours before bot intent activation. Train Shopify chatbot (#13).

Ideal COMP chunk structure

Each chunk: SKU, proof type, scope, validity date, PDF URL, approved supporting paragraph, last legal review. Chunk without validity date = corpus owner alert. Certificate renewal: immediate retrieval cache invalidation.

What are the prompt rules and system instructions for COMP-BOT-01?

The COMP-BOT-01 prompt governs the bot's compliance behavior.

System instructions (excerpt)

  1. You answer product compliance questions solely using CONTEXT COMP.

  2. You never guarantee absolute legal compliance or regulatory interpretation.

  3. You always cite the certificate scope (finished product, yarn, factory).

  4. If CONTEXT is empty: state that public proof is not available and suggest escalation.

  5. You never generate certificate numbers, validity dates, or PDF links.

  6. Legal questions or disputes: immediate comp_handoff intent.

Authorized bot formulations

"According to our approved product documentation…", "The available public certificate indicates…", "For a specific regulatory analysis, our team will get back to you."

Prohibited formulations

"Guaranteed compliant", "certified risk-free", "approved by the authorities" without source, "CE equivalent" on unmarked product.

See system instructions (#194).

Prompt tests before production

15 scenarios: missing CE, expired certificate, GOTS scope yarn only, UKCA interpretation request, counterfeiting dispute, wholesale pack, undocumented REACH substance. The bot must trigger comp_unknown or comp_handoff, never invent.

How to manage CE, GPSR and labels in bot answers?

Three families of questions account for 70% of COMP bot tickets.

CE Marking (comp_ce_marking + comp_doc_link)

If compliance.ce=true: cite directive, PDP marking photo, DoC link. If false or missing: "This reference is not listed with CE marking in our documentation. Here are the documented tests and standards: [list]." No implicit CE.

GPSR (comp_gpsr_contact)

Display EU RP name, address, email from metafield. GPSR reinforces online safety info since December 2024 (Sustalium, GPSR 2026).

GOTS / Oeko-Tex Labels (comp_label_scope)

License number, validity date, scope, public registry link + PDF if Tier support. "Organic" question without certificate: comp_unknown, no voluntary label substitution.

RoHS and electronics (comp_rohs_electronics)

The bot shares RoHS declaration by SKU family if documented. Electrical installation or network compatibility questions: escalation or referral to manual, no unapproved technical advice. Confusing US FCC and EU CE = comp_unknown on unsupported market.

Regulatory Overlap (#119)

Cosmetics health efficacy question: route to REG bot, not COMP. Oeko-Tex Class I baby certificate question: COMP.

Marketplace and Amazon MYC

The bot directs to the GPSR PDP page or B2B pack. It does not fill out the marketplace portal on behalf of the third-party seller. Intent comp_b2b_pack includes GPSR sheet if marketplace reseller.

When to escalate and what confidence thresholds to apply?

The compliance escalation bot protects the brand when the RAG is insufficient.

Immediate escalation (zero auto)

  • Request for legal interpretation or market compliance outside the documentation

  • Dispute over certificate authenticity or counterfeiting

  • Product safety incident reported

  • Customer threatens legal action or regulatory authority

  • Full non-public COA requested by professional

Retrieval confidence thresholds

  • > 92%: auto response with PDF link

  • 85-92%: text response without link, offers human verification

  • < 85%: comp_unknown + 48h escalation

Context handoff

SKU, intent, retrieval score chunks, customer question, docs found or missing. See handoff (#12) and context transfer.

COMP shadow mode

Run COMP intents in shadow mode for 2 weeks: bot draft, agent validates before sending. Measure correction rate on CE and labels. Threshold: less than 5% corrections before going live.

How to automate the wholesale compliance pack without oversharing?

The comp_b2b_pack intent sends the reseller kit if criteria are met.

Auto conditions

  • Customer tag wholesale or qualification score #334 > 40

  • Verified professional email domain

  • COMP-B2B zip pack up to date (< 90 d)

Bot pack content

DoC per requested SKU, label certificates, GPSR, marking photos. No Tier lab reports, never via bot. Expirable link 7 d if sensitive.

Otherwise

Compliance ops ticket within 48 h. Bot acknowledges receipt with SLA. wholesale (#144) link.

Zip link security

Signed URL, 7-day expiration, download log. No complete catalog pack on a simple unverified Gmail email. Align with wholesale routing (#334).

Which KPIs and audits for a reliable compliance bot?

Measuring bot compliance proves that it displays evidence without creating risk.

Essential KPIs

  • comp_resolution_rate: % of COMP intents resolved without escalation

  • comp_unknown_rate: must exist (cautious bot)

  • comp_escalation_rate: legal + handoff

  • comp_contradiction_audit: 0 bot vs PDP on sample

  • comp_pdf_click: certificate links opened

  • comp_b2b_pack_sent: auto wholesale packs

Monthly audit of 30 conversations

10 CE, 10 labels, 10 REACH/substances. Verify: correct PDF, scope mentioned, zero hallucination, escalation if document is missing. Correlate with bot audit (#143).

Legal loop

Regulatory manager validates quarterly sample. Kill switch on COMP intent in case of incident.

Weekly dashboard

Monday 15 min: comp_unknown_rate, top 3 SKUs without chunk, 1 legal review escalation. Correlate comp_pdf_click with wholesale conversion if tagged B2B.

How does Qstomy display compliance evidence without risk?

Qstomy deploys the compliance bot mode with RAG COMP-DOC, intent section 3 and guardrails COMP-BOT-01.

Key capabilities

  • 12 COMP intents: CE, GPSR, REACH, labels, B2B pack

  • Strict RAG: metafields + COMP-DOC only

  • Scope label: automatic recall on finished product vs material

  • Confidence thresholds: auto, partial, unknown, handoff

  • Escalation: legal, dispute, missing doc

  • Wholesale Pack: auto zip if criteria #334 met

DTC encrypted scenario

Children's furniture brand, 62 COMP tickets/month, COMP-DOC 85 SKUs, generalist bot before COMP mode (3 CE hallucinations reported in 2 months).

After Qstomy COMP-BOT-01 + RAG metafields: 78% COMP tickets auto, certificate delay 2 min, comp_unknown 14% (caution), 0 PDP contradictions on 40-thread audit, legal escalations 100% handoff < 30 s, B2B auto pack 89% wholesale requests tagged.

Governance integration

COMP intent in say/do matrix #142: say = draft proof OK auto if RAG score OK; do = conditional B2B zip sending; never = legal interpretation, compliance dispute refund. Bot owner + legal sign off on COMP mode go live.

Explore AI support, Shopify, request a demo.

Which checklist should be launched before activating the compliance bot?

Bot compliance checklist (10 steps)

  1. COMP-DOC #335 completed on top 50 SKUs

  2. Shopify compliance Metafields per SKU

  3. COMP-DISPLAY matrix tier public/support/never

  4. Taxonomy of 12 COMP-BOT intents enabled

  5. Prompt COMP-BOT-01 legally validated

  6. Retrieval confidence thresholds configured

  7. comp_unknown and comp_handoff templates

  8. 2-week shadow mode on COMP intents

  9. Audit of 30 conversations before prod

  10. Kill switch for COMP intent + monthly audit ritual

  11. Simulate 15 section 6 scenarios before go-live

  12. Train agents on comp_handoff and conversation takeover

In brief

  • #336 = bot compliance: proof yes, interpretation no

  • Strict RAG: COMP-DOC only

  • Scope label: always explicit

  • comp_unknown: better than a hallucination

  • Escalation: legal, dispute, missing doc

FAQ

Can the bot state that a product is CE compliant?
Yes, if the metafield and COMP-DOC confirm it, with a DoC link. Otherwise, comp_unknown.

Is a separate bot required for general support?
No. A multi-mode bot with COMP intents and dedicated guardrails is sufficient.

What should be done if the certificate expires tomorrow?
Disable the auto-link, return comp_unknown + renewal in progress message. Never present an expired certificate as valid.

Relationship with the EU AI Act?
Bot transparency + human supervision on escalations. See governance (#142).

Bot or human for complex REACH inquiries?
The bot quotes the approved statement. For translation/interpretation questions regarding unlisted substances: escalation.

Bot compliance incident playbook

If a customer reports an incorrect bot certificate: trigger the COMP intent kill switch, review 48 hours of SKU conversations, correct COMP-DOC, and return to shadow mode before reactivation. Document the post-mortem in the governance register #142.

Go further

Before enabling COMP mode, simulate 10 certificate questions on your at-risk SKUs: if the bot answers without a COMP-DOC chunk, correct the RAG before going live. A cautious compliance bot with comp_unknown is better than a confident, incorrect bot. Document every legal escalation to enrich COMP-DOC the following quarter. Bot caution protects the brand.

Enzo

July 4, 2026

Convert over 2,000 customers on average per month with Qstomy.

The world’s 1st Shopify AI dedicated to customer conversion

Empowering 200+ e-commerce merchants

Subscribe to the newsletter and get a personalized e-book!

No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.

*Unsubscribe at any time. We do not send spam.

Subscribe to the newsletter and get a personalized e-book!

No-code solution, no technical knowledge required. AI trained on your e-shop and non-intrusive.

*Unsubscribe at any time. We do not send spam.