HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ComplyTechAPI

no profile record

Submissions

RAG pipelines, leaking PII into vector databases and nobody's talking about it

comply-tech.co.uk
1 points·by ComplyTechAPI·3 miesiące temu·0 comments

How to build internal AI tools without compliance blocking the project

comply-tech.co.uk
2 points·by ComplyTechAPI·3 miesiące temu·2 comments

EU AI Act Enforcement in August 2026. What That Means for Your LLM Pipeline

comply-tech.co.uk
3 points·by ComplyTechAPI·3 miesiące temu·0 comments

[untitled]

1 points·by ComplyTechAPI·4 miesiące temu·0 comments

comments

ComplyTechAPI
·3 miesiące temu·discuss
[dead]
ComplyTechAPI
·3 miesiące temu·discuss
Fair point, and it's one we get asked about. Two things worth clarifying: First, yes, you'd need a DPA with us just like you would with any processor. We have a standard Article 28 UK GDPR-compliant DPA ready to go.

Second, the difference is what happens to the data. When you send a support ticket to an LLM provider, they process it, may retain it for up to 30 days for abuse monitoring, and the personal data in that ticket is now available in their infrastructure for the duration. ComplyTech processes in memory and returns the result. Nothing is stored, logged, or retained after the response. Zero data retention is an architectural guarantee, not just a policy.

So you go from one third-party processor that retains your customers' personal data, to one that processes it in memory and discards it immediately, plus an LLM provider that now only receives sanitised text.
ComplyTechAPI
·3 miesiące temu·discuss
[dead]
ComplyTechAPI
·3 miesiące temu·discuss
[dead]
ComplyTechAPI
·4 miesiące temu·discuss
Hi HN,

One thing I kept running into while building SaaS products was PII showing up in unexpected places:

application logs analytics event streams CSV exports support ticket systems

Once personal data gets into those systems it becomes hard to control or redact.

I built an API to detect and anonymise PII across text, JSON and CSV before the data leaves the system.Currently covers ~30 PII categories and maps them to frameworks like GDPR, HIPAA, PCI-DSS and 7 other regulatory frameworks.

Curious how others here deal with this — internal tooling, open source libraries, or just manual processes?