Why Compliance Matters for AI
When using AI services like OpenAI, Anthropic, or other LLM providers, you’re sending user data to third-party systems. This creates significant legal and compliance risks under modern privacy regulations. Blindfold protects you by ensuring sensitive data never reaches AI providers in plain text. PII is detected and anonymized before it leaves your infrastructure.Regulation Guides
GDPR
EU data protection for AI applications. Use the EU region and
gdpr_eu policy to keep European personal data compliant.HIPAA
Protect PHI in healthcare AI. Use the US region and
hipaa_us policy to meet HIPAA de-identification requirements.PCI DSS
Secure cardholder data in payment AI. Use the
pci_dss policy to mask, encrypt, and redact card numbers.EU AI Act
Meet the world’s first comprehensive AI regulation. Data minimization, transparency, and high-risk system requirements.
Data Residency
Keep sensitive data in the right jurisdiction. Regional endpoints and tokenization for cross-border AI compliance.
CCPA / CPRA
Protect California consumer data. Prevent “sale” or “sharing” of personal information with AI providers.
LGPD
Brazil’s data protection law. Use the EU region and
gdpr_eu policy for LGPD-compliant AI processing.SOC 2
Demonstrate security practices to enterprise customers. Audit logs, encryption, and access controls.
Quick Comparison
| Regulation | Policy | Region | Key Focus |
|---|---|---|---|
| GDPR | gdpr_eu | EU | Personal data of EU residents — names, emails, IBANs, addresses |
| HIPAA | hipaa_us | US | Protected Health Information — 18 identifiers including SSNs, MRNs |
| PCI DSS | pci_dss | Any | Cardholder data — card numbers, CVVs, expiry dates |
| EU AI Act | gdpr_eu + strict | EU | Data minimization, transparency, high-risk AI systems |
| Data Residency | Any | EU / US | Cross-border data transfers, Schrems II, GDPR Chapter V |
| CCPA / CPRA | strict | US | California consumer rights — opt-out of sale/sharing of PI |
| LGPD | gdpr_eu | EU | Brazilian personal data — names, CPFs, addresses |
| SOC 2 | Any | Any | Trust Services Criteria — security, confidentiality, privacy |
Common Compliance Questions
Do I need a Data Processing Agreement (DPA) with Blindfold?
Do I need a Data Processing Agreement (DPA) with Blindfold?
Yes, for GDPR compliance. Contact us at hello@blindfold.dev to sign a DPA.Blindfold processes personal data to detect and protect PII, making us a data processor under GDPR.
Can I use Blindfold for HIPAA-covered entities?
Can I use Blindfold for HIPAA-covered entities?
Yes. Blindfold offers:
- Business Associate Agreement (BAA)
- AES-256 encryption (HIPAA compliant)
- Audit logging
- Access controls
Is Blindfold SOC 2 certified?
Is Blindfold SOC 2 certified?
SOC 2 certification is in progress. Contact us for current compliance status and security documentation.
Where is data processed and stored?
Where is data processed and stored?
- EU region: PII processed on EU-based servers (
eu-api.blindfold.dev) - US region: PII processed on US-based servers (
us-api.blindfold.dev) - Data retention: We don’t store your text data
- Audit logs: Retained for 90 days
- Backups: Encrypted at rest
What happens if there's a data breach?
What happens if there's a data breach?
Because Blindfold protects PII before it reaches AI providers:
- If AI provider is breached: Your users’ real PII was never exposed (only tokens/hashes)
- If Blindfold is breached: We notify you within 72 hours per GDPR
- Reduced risk: Tokenized/hashed data is not useful to attackers
How do I prove compliance to auditors?
How do I prove compliance to auditors?
Blindfold provides:
- Audit logs — every PII detection and anonymization is logged
- API documentation — proof of data protection implementation
- DPA/BAA — legal agreements for GDPR/HIPAA
- Dashboard reports — export audit logs for compliance reviews
Getting Started with Compliance
Sign up for Blindfold
Create your account at app.blindfold.dev
Choose your region
Select EU or US region based on your data residency requirements. See Regions.
Select a compliance policy
Use
gdpr_eu, hipaa_us, or pci_dss depending on your regulation. See Policies.Integrate Blindfold
Follow the Quick Start guide to add Blindfold to your application.
Request compliance documents
Email hello@blindfold.dev for DPA, BAA, or security documentation.
Need Help?
Legal Questions
Contact our legal team for DPAs, BAAs, and compliance questions
Technical Support
Get help with integration and implementation
Documentation
Read our technical documentation
Cookbook Examples
Working code examples for GDPR and HIPAA
Disclaimer: This documentation provides general information about compliance requirements. It is not legal advice. Consult with legal counsel to ensure your specific implementation meets all applicable regulations.