Technical terms, clearly explained

The EU AI Act (Regulation (EU) 2024/1689) is the European Union’s comprehensive law on artificial intelligence. It regulates AI systems according to their risk, imposing the strictest obligations on high-risk uses and banning a narrow set of practices outright. It applies far beyond the EU’s borders wherever an AI system’s output is used in the Union.

Under the EU AI Act, an AI system is a machine-based system that operates with some autonomy and, from the input it receives, infers how to generate outputs such as predictions, content, recommendations, or decisions that can influence its environment. The emphasis on inference distinguishes genuine AI from ordinary deterministic software.

High-risk AI systems are those the EU AI Act considers capable of significantly harming health, safety, or fundamental rights — for example AI used in employment, education, essential services, or law enforcement. They are not banned, but must meet extensive requirements (risk management, data governance, documentation, human oversight, robustness) and pass a conformity assessment before reaching the market.

AI literacy is the requirement, set out in Article 4 of the EU AI Act, that providers and deployers of AI systems ensure their staff and others operating AI on their behalf have a sufficient level of understanding to use it competently and responsibly. It is one of the earliest obligations to apply and reaches almost every organisation that uses AI.

A general-purpose AI model (GPAI) is an AI model — typically trained on very large amounts of data — that displays significant generality and can competently perform a wide range of tasks, regardless of how it is later put on the market or integrated into downstream systems. Large language models are the prime example. The EU AI Act sets dedicated obligations for GPAI providers, with stricter rules for models posing systemic risk.

Annex III is the part of the EU AI Act that lists the specific use cases considered high-risk. AI systems intended for the purposes it enumerates — in areas such as employment, education, essential services, law enforcement, and migration — are presumptively high-risk and subject to the Act’s full set of obligations. For most organisations, checking their AI against Annex III is the decisive step in risk classification.

Prohibited AI practices are the uses of AI that the EU AI Act bans outright under Article 5 because they pose an unacceptable risk to fundamental rights and safety — such as manipulative or deceptive techniques that distort behaviour, exploitation of vulnerabilities, social scoring, and certain uses of real-time remote biometric identification. No safeguard or documentation can make a prohibited practice lawful.

A conformity assessment is the procedure by which a high-risk AI system is checked against the EU AI Act’s requirements before it is placed on the market. For most high-risk systems it is a self-assessment by the provider against the requirements; for some it involves an independent notified body. A system that passes is documented in an EU declaration of conformity and may bear the CE marking.

A Data Protection Officer (DPO) is a designated person responsible for overseeing an organisation’s data protection compliance, advising on obligations, monitoring adherence to the GDPR, and acting as the contact point for individuals and the supervisory authority. The GDPR requires a DPO in defined cases — notably large-scale systematic monitoring or large-scale processing of special-category data.

Privacy by Design is the GDPR principle — framed as data protection by design and by default — that data protection must be built into systems and processes from the outset and as the default setting, rather than added afterward. It means embedding measures like data minimisation, pseudonymisation, and access control into the architecture, so that the most privacy-protective option is the one that operates automatically.

Data subject rights are the enforceable rights the GDPR grants individuals over their personal data: to be informed, to access their data, to have inaccuracies corrected, to have data erased in defined cases, to restrict or object to processing, and to data portability, plus protections around automated decision-making. Organisations must be able to honour these requests, usually within one month.

Consent under the GDPR is one of the six lawful bases for processing personal data. To be valid it must be freely given, specific, informed, and unambiguous, expressed through a clear affirmative action, and as easy to withdraw as to give. Pre-ticked boxes, bundled consent, and inactivity do not qualify, and the controller must be able to demonstrate that consent was obtained.

Special categories of personal data are types the GDPR treats as especially sensitive under Article 9 — data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and genetic, biometric, health, or sex-life and sexual-orientation data. Processing them is prohibited unless a specific Article 9 exception applies, such as explicit consent.

The GDPR (General Data Protection Regulation, Regulation (EU) 2016/679) is the European Union’s central data protection law. It governs how personal data is processed, grants individuals enforceable rights over their data, and binds any organisation that processes the data of people in the EU — wherever that organisation is based. Breaches can attract fines of up to 4% of global annual turnover.

The revFADP is Switzerland’s revised Federal Act on Data Protection, in force since September 2023. It modernised Swiss data protection law and aligned it closely with the GDPR — strengthening transparency, data-subject rights, and accountability — while keeping some distinctly Swiss features. It applies to private organisations and federal bodies processing personal data in or affecting Switzerland.

A Data Processing Agreement (DPA) is the contract required under the GDPR whenever a controller engages a processor to handle personal data on its behalf. It sets out the subject matter, duration, nature and purpose of the processing, the types of data and categories of individuals, and the processor’s obligations — including security, confidentiality, sub-processing, and assistance to the controller.

A Data Protection Impact Assessment (DPIA) is a structured process required under the GDPR before processing that is likely to result in a high risk to individuals’ rights and freedoms. It describes the processing, assesses its necessity and proportionality, identifies and evaluates the risks, and sets out measures to mitigate them — documenting that risk was considered before the processing began.

A Minimum Viable Product (MVP) is the simplest version of a product that delivers real value to early users and lets a team test its core assumptions with the least effort. It is not a half-finished product but a focused one — built to learn whether the core idea works before investing in everything around it.

Next.js is a React framework for building web applications and websites. It adds server-side rendering, static generation, file-based routing, API routes, and performance optimisations on top of React, making it a standard choice for production web apps and SaaS products that need both rich interactivity and strong SEO.

Supabase is an open-source backend-as-a-service platform built around PostgreSQL. It provides a hosted database, authentication, instant APIs, file storage, and serverless functions, with row-level security as a core feature. It lets development teams build the backend of a SaaS product quickly while retaining the power and portability of a standard Postgres database.

A Progressive Web App (PWA) is a web application that uses modern browser capabilities to behave like a native app — it can be installed to the home screen, work offline, send push notifications, and load quickly — while still being a website accessible through a URL. PWAs give SaaS products an app-like experience without separate native builds for each platform.

Data residency refers to the geographic location where data is physically stored and processed. For European customers it usually means a requirement that personal data remain within the EU or a specific country. For SaaS providers, offering EU data residency — hosting data in regions like Frankfurt — simplifies GDPR compliance and is increasingly demanded by privacy-conscious customers.

SaaS — Software as a Service — is a model in which software is delivered over the internet as a subscription service rather than installed and run on the customer’s own machines. The provider hosts, maintains, secures, and updates the application centrally; customers access it through a browser and pay recurring fees. It is the dominant model for modern business software.

Multi-tenancy is a software architecture in which a single running instance of an application serves multiple customers (tenants), with each tenant’s data logically isolated from the others. It is the foundation of most SaaS products, making them economical to operate and update, while placing strict demands on data isolation and security.

Row-Level Security (RLS) is a database feature that enforces access-control rules at the level of individual rows, so that a given user or tenant can only see or modify the rows they are permitted to — even if a query forgets to filter for them. In multi-tenant SaaS it is the strongest line of defence against cross-tenant data leakage.

Monthly Recurring Revenue (MRR) is the predictable revenue a subscription business earns each month, normalised to a monthly figure. It is the central health metric for SaaS, capturing the recurring income from active subscriptions and forming the basis for tracking growth, churn, and expansion.

Churn is the rate at which customers or recurring revenue are lost over a period. Customer churn measures the share of customers who cancel; revenue churn measures the recurring revenue lost. It is one of the most important SaaS metrics, because high churn quietly undermines growth no matter how many new customers are acquired.

Net Revenue Retention (NRR) measures how much recurring revenue a cohort of existing customers generates now compared with a year ago, including expansion and after subtracting contraction and churn — but excluding new customers. An NRR above 100% means the existing base grows in value on its own; it is a key indicator of SaaS health.

Customer Acquisition Cost (CAC) is the total cost of acquiring a new customer — typically all sales and marketing spend in a period divided by the number of customers gained. It measures the efficiency of growth, and is most meaningful when compared against the value a customer generates over their lifetime.

Customer Lifetime Value (LTV) is the total recurring revenue — or gross profit — a business can expect from a customer over the entire duration of the relationship. It depends on how much a customer pays, the margin on it, and how long they stay, and it is the value side of the equation that justifies acquisition cost.

A Large Language Model (LLM) is an AI model trained on vast amounts of text to understand and generate human language. It predicts likely continuations of text and can be applied to tasks such as writing, summarising, answering questions, and reasoning. LLMs power most modern generative-AI products and are typically accessed as general-purpose models via an API.

Retrieval-Augmented Generation (RAG) is a technique that improves a language model’s answers by retrieving relevant information from a knowledge source at query time and supplying it to the model as context. Instead of relying solely on what the model learned in training, RAG grounds responses in current, specific, trustworthy data — reducing hallucination and enabling answers from private content.

Topical authority is the degree to which a website is recognised by search engines as a comprehensive, trustworthy source on a particular subject. It is built by covering a topic deeply and broadly through interlinked content rather than chasing isolated keywords, and it increasingly determines how well a site ranks across an entire subject area.

Programmatic SEO is the practice of generating large numbers of targeted, high-quality landing pages at scale from structured data and templates — each page serving a specific search query. Done well, it captures long-tail search demand efficiently; done badly, it produces thin, duplicative pages that search engines penalise.

Core Web Vitals are a set of measurable metrics Google uses to assess the real-world user experience of a web page — focusing on loading performance, interactivity, and visual stability. They are a confirmed ranking signal, so good Core Web Vitals matter for both user satisfaction and search visibility.

Schema markup is structured data added to a web page — using a shared vocabulary from Schema.org — that describes the page’s content to search engines in a machine-readable way. It helps search engines understand the content precisely and can enable rich results such as FAQs, breadcrumbs, and ratings in the search listing.

E-E-A-T stands for Experience, Expertise, Authoritativeness, and Trust — the qualities Google’s search quality guidelines use to judge the credibility of content and its creators. It is not a direct ranking score but a framework that shapes how Google assesses quality, and it matters most for topics that affect people’s wellbeing, finances, or safety.

HERMES 2022 is the project management method of the Swiss federal administration, widely used in Switzerland for IT and business projects. It is an open, freely available standard structured around phases, scenarios, roles, and defined deliverables, designed to be scalable and combinable with agile approaches.

Scrum is an agile framework for developing and delivering complex products in short, fixed-length iterations called sprints. It defines a small set of roles, events, and artifacts that help a team work iteratively, inspect progress frequently, and adapt — favouring empirical, incremental delivery over detailed upfront planning.

Kanban is an agile method for managing work by visualising it on a board, limiting the amount of work in progress, and managing the flow of tasks to completion. Unlike Scrum’s fixed iterations, Kanban is continuous and evolutionary — it focuses on smooth, steady flow and incremental improvement rather than time-boxed sprints.

OKR — Objectives and Key Results — is a goal-setting framework that pairs an ambitious, qualitative Objective with a few measurable Key Results that define what achieving it looks like. Set on a regular cadence and kept transparent across an organisation, OKRs align effort toward outcomes rather than tasks.

Professional Services Automation (PSA) is software that supports the core operations of service-based businesses — managing projects, resources, time tracking, and billing in one integrated system. It connects the work delivered to the revenue it generates, giving consultancies and agencies visibility into utilisation, profitability, and project health.