> ## Documentation Index > Fetch the complete documentation index at: https://docs.blindfold.dev/llms.txt > Use this file to discover all available pages before exploring further. # Compliance & Legal > How Blindfold helps you meet GDPR, HIPAA, PCI DSS, EU AI Act, CCPA, LGPD, and SOC 2 requirements ## Why Compliance Matters for AI When using AI services like OpenAI, Anthropic, or other LLM providers, you're sending user data to third-party systems. This creates significant **legal and compliance risks** under modern privacy regulations. **Blindfold protects you** by ensuring sensitive data never reaches AI providers in plain text. PII is detected and anonymized *before* it leaves your infrastructure. ``` User message Blindfold AI Provider "Email hans@example.de" → "Email " → AI only sees tokens ↓ "I'll email hans@..." ← Detokenize with mapping ← "I'll email " ``` ## Regulation Guides EU data protection for AI applications. Use the **EU region** and `gdpr_eu` policy to keep European personal data compliant. Protect PHI in healthcare AI. Use the **US region** and `hipaa_us` policy to meet HIPAA de-identification requirements. Secure cardholder data in payment AI. Use the `pci_dss` policy to mask, encrypt, and redact card numbers. Meet the world's first comprehensive AI regulation. Data minimization, transparency, and high-risk system requirements. Keep sensitive data in the right jurisdiction. Regional endpoints and tokenization for cross-border AI compliance. Protect California consumer data. Prevent "sale" or "sharing" of personal information with AI providers. Brazil's data protection law. Use the EU region and `gdpr_eu` policy for LGPD-compliant AI processing. Demonstrate security practices to enterprise customers. Audit logs, encryption, and access controls. ## Quick Comparison | Regulation | Policy | Region | Key Focus | | ------------------ | -------------------- | ------- | ------------------------------------------------------------------ | | **GDPR** | `gdpr_eu` | EU | Personal data of EU residents — names, emails, IBANs, addresses | | **HIPAA** | `hipaa_us` | US | Protected Health Information — 18 identifiers including SSNs, MRNs | | **PCI DSS** | `pci_dss` | Any | Cardholder data — card numbers, CVVs, expiry dates | | **EU AI Act** | `gdpr_eu` + `strict` | EU | Data minimization, transparency, high-risk AI systems | | **Data Residency** | Any | EU / US | Cross-border data transfers, Schrems II, GDPR Chapter V | | **CCPA / CPRA** | `strict` | US | California consumer rights — opt-out of sale/sharing of PI | | **LGPD** | `gdpr_eu` | EU | Brazilian personal data — names, CPFs, addresses | | **SOC 2** | Any | Any | Trust Services Criteria — security, confidentiality, privacy | ## Common Compliance Questions Yes, for GDPR compliance. Contact us at [hello@blindfold.dev](mailto:hello@blindfold.dev) to sign a DPA. Blindfold processes personal data to detect and protect PII, making us a data processor under GDPR. Yes. Blindfold offers: * Business Associate Agreement (BAA) * AES-256 encryption (HIPAA compliant) * Audit logging * Access controls Contact us for a BAA: [hello@blindfold.dev](mailto:hello@blindfold.dev) SOC 2 certification is in progress. Contact us for current compliance status and security documentation. * **EU region**: PII processed on EU-based servers (`eu-api.blindfold.dev`) * **US region**: PII processed on US-based servers (`us-api.blindfold.dev`) * **Data retention**: We don't store your text data * **Audit logs**: Retained for 90 days * **Backups**: Encrypted at rest See [Regions](/essentials/regions) for details. Because Blindfold protects PII before it reaches AI providers: 1. **If AI provider is breached**: Your users' real PII was never exposed (only tokens/hashes) 2. **If Blindfold is breached**: We notify you within 72 hours per GDPR 3. **Reduced risk**: Tokenized/hashed data is not useful to attackers Blindfold provides: 1. **Audit logs** — every PII detection and anonymization is logged 2. **API documentation** — proof of data protection implementation 3. **DPA/BAA** — legal agreements for GDPR/HIPAA 4. **Dashboard reports** — export audit logs for compliance reviews Export audit logs from the [dashboard](https://app.blindfold.dev) for compliance reports. ## Getting Started with Compliance Create your account at [app.blindfold.dev](https://app.blindfold.dev) Select EU or US region based on your data residency requirements. See [Regions](/essentials/regions). Use `gdpr_eu`, `hipaa_us`, or `pci_dss` depending on your regulation. See [Policies](/essentials/policies). Follow the [Quick Start guide](/quickstart) to add Blindfold to your application. Email [hello@blindfold.dev](mailto:hello@blindfold.dev) for DPA, BAA, or security documentation. ## Need Help? Contact our legal team for DPAs, BAAs, and compliance questions Get help with integration and implementation Read our technical documentation Working code examples for GDPR and HIPAA *** **Disclaimer**: This documentation provides general information about compliance requirements. It is not legal advice. Consult with legal counsel to ensure your specific implementation meets all applicable regulations.