Skip to content
in/guard/out
in/guard/out

Compliance

PII screening & guardrails under the GDPR

Every prompt containing a name, email, or customer detail that your app sends to a model provider is personal-data processing under the GDPR – with everything that implies: lawful basis, minimization, processor relationships, transfer rules. Most teams discovered this after the integration shipped.

The architectural answer is to stop personal data from reaching the provider. The proxy screens PII into placeholders before any data reaches the model provider – the provider works with pseudonymized text. Real values are unscreened in the response your application receives. Logs store the screened form by default.

The honest part, up front: no tool makes you compliant. Compliance is a property of your organization – its processes, contracts, and documentation – not of any component you install. What a guardrails proxy provides is technical measures and evidence that support the obligations below. Assess your own obligations with counsel.

§01 Where the proxy helps
The obligation

Data minimization – Article 5(1)(c): personal data must be adequate, relevant, and limited to what is necessary

On the wire

The model does not need real names, emails, or card numbers to do its job – stable placeholders preserve the text’s structure and coherence. Screening enforces minimization mechanically, on every request, rather than by developer discipline.

The obligation

Pseudonymization & security of processing – Articles 4(5) and 32 name pseudonymization as a core technical measure

On the wire

Screen-and-restore is pseudonymization in the Article 4(5) sense: the provider-bound text cannot be attributed to a person without the placeholder map – which lives in memory for one request, is never persisted, and never leaves the proxy.

The obligation

International transfers – Chapter V restricts personal-data flows to third countries, including US-based model providers

On the wire

Screening dramatically shrinks what leaves your organization to model providers: what crosses to them is pseudonymized placeholders, not personal data. The proxy processes data in the US, but model providers receive only de-identified text.

The obligation

Storage limitation & data-subject rights – retention limits, plus access and erasure rights

On the wire

Logs store placeholders rather than personal data by default, which simplifies both retention and erasure; the PII map is never stored at all. Account-level data follows plan retention and deletion on request.

The obligation

Accountability – Article 5(2): you must be able to demonstrate compliance

On the wire

Per-request records of what was screened and which checks ran are demonstrable evidence – the difference between “our policy says we redact” and a log showing that this request, on this date, was screened before egress.

§02 Frequently asked questions

Is sending prompts to an LLM provider a GDPR “transfer”?

If the prompt contains personal data and the provider processes it outside the EEA, transfer rules are implicated – one of several reasons to screen personal data out before the request leaves. What crosses after screening is pseudonymized placeholders.

Is pseudonymized data still personal data under GDPR?

In your hands, yes – you hold the means of re-identification, and GDPR still applies to your processing. But pseudonymization is a named technical measure that materially reduces risk, and what the provider receives cannot be attributed to a person by the provider.

Does the proxy help with the right to erasure?

Indirectly and structurally: transcripts store placeholders rather than personal data by default, and the placeholder map is never persisted – so the hard problem of scrubbing personal data out of LLM logs mostly disappears at design time.

Can we keep everything in the EEA?

No – the proxy is US-based cloud infrastructure. But: data is screened before it leaves your organization for model providers, so what those providers receive is placeholder text, not personal data. Your compliance team evaluates the transfer based on what actually reaches the provider.

§03 Related

Bring your compliance team to the demo.

The per-request evidence trail tends to answer their questions faster than a slide deck. We’re running a limited demo – sign up and we’ll get you in as soon as we can.