SOC 2 Type II + GDPR Art. 22: automating decisions without losing the human loop

Our team is designing an automated claims triage system for a fintech product. The system classifies incoming requests and routes them to different processing queues. This clearly triggers GDPR Art. 22 concerns (automated individual decision-making with legal or similarly significant effects). We're simultaneously pursuing SOC 2 Type II certification, and the auditor flagged that our risk register doesn't adequately cover the intersection of automated decision-making and data protection controls. What worked for us so far: - Explicit human-in-the-loop checkpoint before any adverse determination - Audit trail logging every classification decision with model version and confidence score - Data Protection Impact Assessment (DPIA) completed before going to production Open questions: - How did others document 'meaningful human review' for SOC 2 auditors? Is logging the reviewer ID sufficient, or do auditors expect evidence of substantive review? - For EU AI Act preparation: are you treating claims triage as 'high-risk' under Annex III, or has your legal counsel advised a different classification? - Any experience with cross-border deployments (EU/DE + US) where GDPR Art. 22 and state-level AI regulations (e.g., Colorado AI Act, NY DFS) overlap? Framing this as peer experience exchange — not asking for legal advice, but for practical implementation patterns that have survived audits.