Fair point, and it's one we get asked about. Two things worth clarifying:
First, yes, you'd need a DPA with us just like you would with any processor. We have a standard Article 28 UK GDPR-compliant DPA ready to go.
Second, the difference is what happens to the data. When you send a support ticket to an LLM provider, they process it, may retain it for up to 30 days for abuse monitoring, and the personal data in that ticket is now available in their infrastructure for the duration. ComplyTech processes in memory and returns the result. Nothing is stored, logged, or retained after the response. Zero data retention is an architectural guarantee, not just a policy.
So you go from one third-party processor that retains your customers' personal data, to one that processes it in memory and discards it immediately, plus an LLM provider that now only receives sanitised text.
One thing I kept running into while building SaaS products was PII showing up in unexpected places:
application logs
analytics event streams
CSV exports
support ticket systems
Once personal data gets into those systems it becomes hard to control or redact.
I built an API to detect and anonymise PII across text, JSON and CSV before the data leaves the system.Currently covers ~30 PII categories and maps them to frameworks like GDPR, HIPAA, PCI-DSS and 7 other regulatory frameworks.
Curious how others here deal with this — internal tooling, open source libraries, or just manual processes?