Skip to main content
AegisPlane
What is the GDPR?

Stop personal data

before it reaches the model.

GDPR fines reach 20M€ or 4% of global turnover. AegisPlane scans every AI request for personal data and redacts it in flight, before it leaves for a provider. You get a logged record of how each request was handled.

No code changes. Live on your traffic in a day.

20M€or 4% of turnover
In-flightPII redaction
0Code changes
12frameworks & standards checked
11LLM providers, one gateway
Article-levelpolicy engine (OPA)
Every requestlogged as evidence

One control sits in front of every model your teams already call, checking each request against the standards your auditors recognize.

The framework

What is the GDPR?

Every AI prompt can carry personal data you are accountable for. The GDPR is the EU's data-protection law. It demands a lawful basis to process personal data, limits use to the stated purpose, and mandates data minimization. It applies to anyone handling the personal data of people in the EU.

  • Requires a lawful basis (consent, contract, legitimate interest, etc.) to process personal data.
  • Enforces purpose limitation and data minimization.
  • Restricts transfers of personal data outside the EU.
  • Fines reach €20M or 4% of global annual turnover, whichever is higher.
What it requires

What the GDPR requires

The regulation sets duties at every stage of processing. AegisPlane enforces the ones observable at the AI call.

1

A lawful basis

You need consent, contract, or another legal ground to process personal data. Requests without a documented basis are flagged.

2

Data minimization

Only the data you need, for the purpose stated. PII beyond that purpose is redacted before the request leaves.

3

Data subject rights

People can access, correct, and erase their data. Per-request logs make it clear what was processed and when.

4

Security of processing

Article 32 requires appropriate safeguards. Personal data is redacted in flight and transfers you have not approved are blocked.

See it work

One request, checked in real time

Here is one interaction. AegisPlane classifies the request, checks it against the framework, blocks what it must, and logs the decision as evidence. It happens in milliseconds, on live traffic.

Business value

  • Reduces risk in personal-data processing.
  • Improves privacy control in AI operations.
  • Provides stronger compliance evidence.
In the AI Control Plane

How AegisPlane enforces GDPR principles at runtime

AegisPlane treats every AI call as a potential data-processing event. In the AI Control Plane (AICP), personal data is detected and redacted before it ever leaves for a third-party model.

01

Turn it on in config

Enable the GDPR pack as versioned config; it compiles into a signed policy bundle with no changes to your application code.

02

Checked at the gateway

Each request is evaluated for personal-data handling (purpose limitation, minimization, and lawful basis) by the OPA policy engine before it reaches the provider.

03

PII redacted in-flight

Presidio-based redaction strips names, emails, IDs, and other identifiers before the request leaves your perimeter, and rehydrates on return within the same request scope.

04

Logged as evidence

Each processing decision is recorded so you can show a data protection authority exactly how personal data was handled.

FAQ

Frequently asked questions

Redaction is request-scoped: identifiers are masked before the provider call and rehydrated on the response within that same request. It is not a durable token vault, the mapping does not persist beyond the interaction.

Common PII such as names, emails, phone numbers, and national IDs, using Presidio-based detection, plus custom patterns you configure.

If you process the personal data of people in the EU (including through an AI feature they use) the GDPR generally applies to that processing.

It flags and can block requests that would send personal data to a provider or region you haven't approved, and logs the decision.

No. It is an operational control and evidence source that supports your data-protection program; legal accountability stays with you.

Why now

Continuous checks and evidence, not a stale annual assessment

Regulators are already fining AI data misuse. Redact before it leaves, not after. Every selected framework is checked on live AI traffic and the decision is logged as evidence, so audit prep stops being a fire drill. No code changes.