Services · GDPR
AI that respects
GDPR by design.
EU data residency, data minimization, lawful retention, and a deletion path that actually reaches your vector store. I build AI features that handle personal data the way European law expects, using OpenAI, Claude, or a self-hosted model where residency demands it.
What I build in
EU data residency
Model endpoint, vector store, database, and logs kept in EU regions - or a self-hosted model when a provider cannot guarantee it.
Data minimization
Redaction and pseudonymization before data ever reaches a model, so you send the minimum that does the job.
Right to be forgotten
A deletion path that traverses source data, the vector index, caches, and fine-tuning sets - with a record proving it ran.
Retention and no-training
Zero-retention API tiers, signed DPAs, and no-training flags configured and verified, not assumed.
Audit-ready logging
Records of processing and access logs that make a data-subject request or an audit a quick task, not a fire drill.
Prompt-injection and leak defense
Guardrails so personal data in context cannot be extracted by injection.
Pricing
| Scope | Timeline | Price |
|---|---|---|
| Privacy pass on an existing AI feature (residency, retention, deletion) | 1-3 weeks | $3.5K-$15K |
| Privacy-by-design build with EU residency and audited deletion | 3-6 weeks | $15K-$45K |
| Hourly retainer post-launch | Ongoing | $100/hr |
Engineering only. Legal drafting, DPAs, and sign-off sit with your counsel or DPO.
Frequently asked questions
Can I use OpenAI or Claude and still be GDPR-compliant?
Yes, with the right setup. Both Anthropic and OpenAI offer data processing agreements and zero-retention or no-training options on their API tiers, and both are reachable through EU cloud regions via Azure, Amazon Bedrock, or Google Vertex AI. The compliance work is choosing the right tier, signing the DPA, configuring retention, and keeping personal data minimized. I handle the technical side of that.
How do you keep AI data inside the EU?
Three levers: pick an EU region for the model endpoint (Bedrock, Vertex, or Azure OpenAI in Frankfurt, Dublin, or similar), keep your vector store and database in the EU, and route logs and analytics to EU infrastructure. Where a provider cannot guarantee EU processing, I move that step to a self-hosted open-source model instead.
What about the right to be forgotten with RAG and embeddings?
This is the part most teams get wrong. When a user asks to be deleted, their data has to come out of the source store, the vector index, any caches, and any fine-tuning set. I build a deletion path that actually traverses all of those, with a verifiable record that it happened. Embeddings of personal data are personal data.
Is this the same as EU AI Act compliance?
Related but separate. GDPR governs personal data; the EU AI Act governs AI systems by risk. Many products need both. I implement the technical controls for each - see my EU AI Act compliant development service for the AI Act side - and your legal counsel owns the legal interpretation.
Do you provide the DPA and legal documents?
I implement the technical and organizational measures and document them, which is what your DPA and records of processing reference. I do not draft legal contracts - that is your counsel or DPO. I make sure what the documents promise is actually true in the code.
How much does GDPR-compliant AI cost?
A privacy pass on an existing AI feature (residency, retention, deletion path) is typically $3.5K-$15K. A full privacy-by-design build with EU residency and audited deletion is $15K-$45K. Scoped precisely after a free 30-minute call.