AI Systems in the EU: Designing for GDPR from Day One
A senior architect's guide to building GDPR-compliant AI systems. Trust boundaries, semantic tokenization, policy-driven restore, and real production scenarios.
The Compliance Wall Nobody Warns You About
Here's the thing: most AI architectures are technically illegal in the EU the moment they touch customer data.
Not because the teams don't care. They do. The problem is simpler and more brutal: the default architecture for every AI tutorial, every RAG quickstart, every agent framework sends raw customer data directly to an external model provider. Names, emails, customer IDs, order references, billing data. All of it crosses to infrastructure you don't control. In the EU, under GDPR Articles 44-49, that's a data protection violation before you even get to the interesting parts.
We hit this wall ourselves. We were building an AI-powered customer communication system for an enterprise client in Germany. The demo was brilliant. Personalized, context-aware, formal German with correct gendered salutations. Then legal reviewed the architecture diagram and asked one question:
"Where exactly does the customer's name leave our infrastructure?"
Everything stopped for three weeks. The engineering answer ("OpenAI's API, but they don't train on our data") satisfied nobody. Not the DPO, not legal, not the customer's procurement team.
The industry gives you a false choice: either use AI unsafely with raw data, or strip data until AI becomes useless. We spent months building a third path. It became the foundation for OGuardAI, our open-source semantic data protection runtime. This article is everything we learned.
Why This Matters Beyond Legal
Before we get into architecture: this isn't only a compliance problem. It's a business blocker, a security risk, and an engineering challenge at the same time. You can see how we approach enterprise projects on our methodology page and our full services overview.
| Stakeholder | What They Ask | What They Actually Need |
|---|---|---|
| CEO / Founder | "Can we use AI safely?" | A clear YES with evidence for board and investors |
| CTO / VP Engineering | "What's the architecture?" | Trust boundary model that survives a security audit |
| DPO / Legal | "Where does PII go?" | Proof that raw data never leaves controlled infrastructure |
| Product Owner | "Can we still personalize?" | Confirmation that AI output quality doesn't degrade |
| Senior Engineer | "How do I implement this?" | APIs, SDKs, detection pipeline, restore modes |
| Platform Architect | "Does it scale?" | Multi-tenant, multi-language, multi-policy system design |
If any one of these people says no, your AI project is dead. That's why this architecture must satisfy all of them at once.
The Trust Boundary Model
The most important concept in GDPR-compliant AI architecture is the trust boundary. It's not a library. It's not a config flag. It's an architectural decision about what data crosses to systems you don't fully control. If you're new to how we think about system architecture at Oronts, that guide provides useful context.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β TRUSTED ZONE β
β (Your Infrastructure) β
β β
β ββββββββββββββ ββββββββββββββ ββββββββββββββββββββββββ β
β β Raw PII βββββΆβ Detect βββββΆβ Session Mapping β β
β β Input β β Engine β β (AES-256-GCM β β
β β β β β β encrypted) β β
β ββββββββββββββ βββββββ¬βββββββ ββββββββββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββββββ β
β β Tokenized Text β β
β β + entity_contextβ β
β ββββββββββ¬ββββββββββ β
β βββββββββββββββββββββββββͺββββββββββββββββββββββββββββββββββββββββ β
β TRUST β BOUNDARY β
β βββββββββββββββββββββββββͺββββββββββββββββββββββββββββββββββββββββ β
β βΌ β
β βββββββββββββββββββββββββββββββββββββββββββββ β
β β UNTRUSTED ZONE β β
β β (LLM Provider / External API) β β
β β β β
β β Sees: {{person:p_001}}, {{email:e_001}} β β
β β + metadata: gender=female, formality= β β
β β formal, language=de β β
β β Never sees: "Sara Mustermann", β β
β β "sara.mustermann@beispiel.de" β β
β ββββββββββββββββββββββββ¬ββββββββββββββββββββββ β
β β β
β βΌ β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ β
β β Token Repair βββΆβ Output Guard βββΆβ Rehydrate β β
β β (3-stage) β β (catch new β β (policy-driven β β
β β β β PII) β β restore) β β
β ββββββββββββββββ ββββββββββββββββ ββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
The rule is absolute: raw PII stays inside the trusted zone. Only semantic tokens cross to the untrusted zone. The LLM never sees a real name, a real email, a real phone number, a real IBAN. It sees {{person:p_001}}, {{email:e_001}}, {{phone:ph_001}}.
| Zone | Contains | Never Contains |
|---|---|---|
| Trusted Zone (your runtime) | Raw PII, token mappings, encryption keys, policy rules | β |
| Untrusted Zone (LLMs, tools, logs, vector stores) | Only {{type:id}} tokens + safe metadata | Raw names, emails, IDs, any PII |
| Boundary Crossing | Tokenized text + entity_context metadata | Any raw sensitive value |
This is what closes enterprise deals. Not features. Provable trust boundaries.
Why Naive Masking Destroys AI Output
The first thing every team tries is string replacement: replace "Sara Mustermann" with [NAME], send it to the model, replace [NAME] back.
This fails catastrophically in production:
| Problem | What Happens | Business Impact |
|---|---|---|
| Semantic collapse | [NAME] carries no context, model can't determine gender, formality, or relationship | Generic output that reads like spam |
| German formal address | "Sehr geehrte Frau Mustermann" becomes "Sehr geehrte [NAME]", grammatically broken | Unprofessional communication |
| Multi-entity confusion | Two people in one text, both [NAME], model confuses them | Wrong person gets the refund confirmation |
| Restoration ambiguity | Three [NAME] in the output, which is which? | Data integrity failure |
| Arabic honorifics | Correct honorific prefix depends on gender, status, relationship | Culturally offensive output |
The German formal address problem alone killed our first approach. In German business communication, you need:
- Gender: "Herr" (Mr.) or "Frau" (Ms.). Wrong gender is a serious professional failure
- Correct grammatical case: "Sehr geehrter Herr" vs "Sehr geehrte Frau" (different ending based on gender)
- Title awareness: "Dr." or "Prof." prefix when applicable
- Consistency: The same person must be addressed the same way across a 3-page document
If your model only sees [NAME], it literally cannot produce a correct German formal letter. The output is either grammatically wrong, culturally inappropriate, or so generic that it reads like a template. And generic emails don't convert. This is exactly the kind of AI failure mode that kills enterprise adoption.
Semantic Tokenization: The Architecture That Works
Semantic tokenization is fundamentally different from masking. Instead of removing information, it replaces raw values with tokens that carry enough metadata for the LLM to produce correct output, without ever seeing the actual data.
Token Format and Metadata
{{type:id}}
- type: one of 12+ registered entity types (person, email, phone, company, customer_id, order, address, iban, ssn, ip, passport, health_id)
- id: session-scoped deterministic identifier (prefix + counter:
p_001,e_001,ph_001)
Each token carries structured metadata. This is what makes it semantic, not just a placeholder:
| Field | Values | Purpose | Example |
|---|---|---|---|
gender | male, female, unknown | Grammatical gender for address generation | "Frau" vs "Herr" |
formality | formal, informal | Register control | "Sehr geehrte" vs "Hallo" |
language | ISO 639-1 (de, en, ar, fr...) | Source language of entity | Determines rehydration rules |
role | recipient, sender, subject, reference | Semantic role in conversation | Who gets addressed vs who is mentioned |
belongs_to | Parent token ID | Ownership link | Email e_001 belongs to person p_001 |
This metadata is sent to the LLM as entity_context. It's safe, type-level information that contains zero raw values:
{
"entity_context": [
{
"token": "{{person:p_001}}",
"type": "person",
"gender": "female",
"formality": "formal",
"language": "de",
"role": "recipient"
},
{
"token": "{{email:e_001}}",
"type": "email",
"belongs_to": "p_001"
},
{
"token": "{{customer_id:cid_001}}",
"type": "customer_id"
}
]
}
The model knows it's writing to a formal female German-speaking recipient. It doesn't know her name.
The Detection Pipeline
Detection isn't simple regex. It's a layered system that combines speed with accuracy:
| Layer | Technology | Latency | What It Catches | Confidence |
|---|---|---|---|---|
| Builtin regex | Compiled patterns (Rust) | ~1-5ms | Emails, phones, IBANs, IPs, URLs, SSNs, structured IDs | 0.95-1.0 |
| Pattern heuristics | Context-aware rules | ~2-8ms | Customer IDs (format-specific), order references, dates | 0.80-0.95 |
| NER models | spaCy / transformers (Python sidecar) | ~15-50ms | Person names, company names, addresses, unstructured PII | 0.70-0.95 |
| Custom detectors | User-defined rules | Varies | Domain-specific entities (product codes, internal refs) | Configurable |
In production, you run regex first (fast, high precision for structured data), then NER for unstructured entities. The layered approach means structured PII like emails and IBANs are caught at near-zero latency, while names and addresses get the full NER treatment. For monitoring how this performs over time, see our guide on AI observability.
// Detection configuration example
const config = {
detectors: ["builtin_regex", "ner_spacy"],
entity_types: ["person", "email", "phone", "customer_id", "iban"],
threshold: 0.7, // minimum confidence to tokenize
language: "de" // hint for NER model
};
Full Production Scenario: German Customer Support
Let's walk through a complete production cycle. Not a simplified example, but what actually happens in a real customer communication system.
Input (customer support ticket):
Hallo, ich bin Sara Mustermann. Meine Kundennummer ist 948221.
Ich warte seit 5 Tagen auf meine RΓΌckzahlung.
Meine E-Mail ist sara.mustermann@beispiel.de, bitte schickt mir eine BestΓ€tigung.
Step 1: Detection
| Entity | Type | Confidence | Detector | Metadata |
|---|---|---|---|---|
| Sara Mustermann | person | 0.95 | ner_spacy | gender: female, formality: formal, language: de, role: recipient |
| 948221 | customer_id | 0.99 | builtin_regex | β |
| sara.mustermann@beispiel.de | 1.0 | builtin_regex | belongs_to: p_001 |
Step 2: Tokenized safe text (sent to LLM)
Hallo, ich bin {{person:p_001}}. Meine Kundennummer ist {{customer_id:cid_001}}.
Ich warte seit 5 Tagen auf meine RΓΌckzahlung.
Meine E-Mail ist {{email:e_001}}, bitte schickt mir eine BestΓ€tigung.
Step 3: LLM generates response (model output)
Sehr geehrte {{person:p_001}},
vielen Dank fΓΌr Ihre Nachricht. Es tut uns leid, dass Sie bereits seit
5 Tagen auf Ihre RΓΌckzahlung warten.
Wir haben Ihren Fall unter der Kundennummer {{customer_id:cid_001}}
ΓΌberprΓΌft und die RΓΌckzahlung wurde heute angewiesen. Sie erhalten
eine BestΓ€tigung an {{email:e_001}} innerhalb der nΓ€chsten 24 Stunden.
Mit freundlichen GrΓΌΓen,
Ihr Support-Team
Step 4: Rehydration (output channel: customer_email, restore: formatted)
Sehr geehrte Frau Sara Mustermann,
vielen Dank fΓΌr Ihre Nachricht. Es tut uns leid, dass Sie bereits seit
5 Tagen auf Ihre RΓΌckzahlung warten.
Wir haben Ihren Fall unter der Kundennummer 948221 ΓΌberprΓΌft und die
RΓΌckzahlung wurde heute angewiesen. Sie erhalten eine BestΓ€tigung
an sara.mustermann@beispiel.de innerhalb der nΓ€chsten 24 Stunden.
Mit freundlichen GrΓΌΓen,
Ihr Support-Team
What happened:
- The LLM wrote correct formal German: "Sehr geehrte" (not "Sehr geehrter") because it knew the recipient is female
- "Frau" was prepended automatically during
formattedrestore. The model never decided this - Customer ID restored because the policy allows it for customer-facing emails
- Email restored because the customer explicitly requested confirmation there
- The model never saw "Sara Mustermann", "948221", or "sara.mustermann@beispiel.de"
Three Protection Levels for Different Data
Not all data is equally sensitive. A three-tier model handles this reality. This kind of policy-driven approach is central to how we design AI systems and AI workflow pipelines at Oronts.
Level 1: Hard Masking (Never Reversible)
Applies to: iban, ssn, passport, health_id
These carry regulatory obligations (GDPR Art. 9 special categories, PCI-DSS, HIPAA). Their raw values are never stored in reversible form.
| Action | Behavior | When To Use |
|---|---|---|
block | Request rejected if entity detected | Absolute prohibition (e.g., health data in marketing AI) |
remove | Entity stripped from text entirely | Data minimization, entity isn't needed |
abstract | Replaced with category label: [IBAN on file] | LLM needs to know it exists, not the value |
hard_mask | Fixed-length mask: DE** **** **** **** ** | Preserve format without revealing value |
Level 2: Reversible Tokenization (Policy-Controlled)
Applies to: person, email, phone, company, customer_id, order, address, ip, url
These are tokenized with semantic metadata and restored based on output channel policy. The same tokenization produces different outputs for different audiences:
| Restore Mode | Person | Phone | |
|---|---|---|---|
full | Sara Mustermann | sara.mustermann@beispiel.de | +49 30 12345678 |
partial | S. Mustermann | s***@beispiel.de | ***5678 |
masked | **** ********** | s*************************e | +** ** ******** |
formatted | Frau Sara Mustermann | sara.mustermann@beispiel.de (E-Mail) | +49 30 12345678 (Mobil) |
abstract | (weibliche Kundin) | (E-Mail hinterlegt) | (Telefon hinterlegt) |
none | [REDACTED] | [REDACTED] | [REDACTED] |
The same tokenized data, different policies per channel:
| Output Channel | person | customer_id | iban | |
|---|---|---|---|---|
customer_email | formatted | full | full | none |
internal_summary | full | full | full | partial (last 4) |
export/analytics | abstract | none | abstract | none |
log_safe | none | none | none | none |
This is the key insight: tokenize once, restore differently per channel. The customer gets "Frau Sara Mustermann" in their email. The internal team sees "Sara Mustermann" with full details. The analytics export sees "(female customer)". The audit log sees no PII at all.
Level 3: Semantic Abstraction (Metadata Only)
Applies to: gender, formality, VIP status, department
No raw value is stored. Only semantic metadata flows through the system. The LLM knows the recipient is female and expects formal address. That's enough to produce correct grammar without any raw data involved.
Agentic Workflows: Where It Gets Exponentially Harder
Single LLM calls are the easy case. Agentic AI systems, where an AI agent performs multiple steps with tools, multiply the leak surface exponentially. We cover agent architecture in depth in our multi-agent architecture guide, but here we focus specifically on the data protection challenge.
Consider a support agent workflow:
Step 1: Read ticket β PII in ticket text
Step 2: Look up customer β PII in CRM response
Step 3: Check billing β PII in billing data
Step 4: Draft response β PII in prompt + output
Step 5: Trigger refund β PII in API call
Five steps = five potential leak points. Without protection, data leaks into model context, tool call arguments, intermediate reasoning chains, agent memory, and logs. Each step compounds the risk.
The solution: wrap every trust boundary crossing, not just the final LLM call.
Step 1: Read ticket
β Raw ticket with PII
β TRANSFORM β Agent sees tokenized ticket
Step 2: Look up customer (tool call)
Agent requests: get_customer({{customer_id:cid_001}})
β Runtime intercepts β real ID used for lookup (inside trust boundary)
β Tool response TRANSFORMED before returning to agent
Step 3: Check billing (tool call)
Agent requests: check_billing({{customer_id:cid_001}})
β Same pattern: real ID used internally, response tokenized
Step 4: Draft response
Agent has: tokenized ticket + tokenized customer info + tokenized billing
β Generates response with tokens
β REHYDRATE for customer_email channel
Step 5: Trigger refund (tool call)
Agent requests: issue_refund({{customer_id:cid_001}}, {{order:o_001}})
β Runtime passes real values to refund API (inside trust boundary)
β Confirmation tokenized before returning to agent
The agent never sees raw PII across any step. Tool payloads are governed per-step. Every crossing of the trust boundary is protected. The audit trail shows exactly which entities were detected, tokenized, and restored at each step, without containing any PII itself. For the approval gates that make agent decisions safe, see our guide on human-in-the-loop AI systems.
RAG Pipeline Protection
Retrieval-Augmented Generation introduces a second leak vector: your vector store. If you embed documents with raw PII, your entire retrieval pipeline becomes a GDPR-regulated system. For a deeper look at RAG architecture itself, see our enterprise RAG systems guide and our vector search architecture guide.
Two approaches:
A. Ingestion-Time Tokenization
Documents are tokenized before chunking and embedding:
- Chunks contain
{{person:p_001}}instead of real names - Embeddings are built on tokenized text
- Vector store never contains raw PII
- Trade-off: slightly lower retrieval quality for name-based queries
B. Query-Time Tokenization (Recommended)
Documents stored raw in a controlled environment. At query time:
User: "What is the status of Sara Mustermann's refund?"
β TRANSFORM query: "What is the status of {{person:p_001}}'s refund?"
β RETRIEVE: chunks about refund policies (may contain PII)
β TRANSFORM retrieved chunks: replace PII with tokens
β LLM: generates answer using only tokens
β REHYDRATE: restore per output channel policy
β User sees: personalized answer with real names where allowed
The query-time approach preserves retrieval quality (embeddings match on real terms) while protecting the LLM boundary. The vector store is inside the trusted zone; only the LLM is outside.
Session Architecture: Stateless Security
A production system can't afford server-side session state for every request. We designed sealed sessions: AES-256-GCM encrypted blobs that travel with the request.
Transform request β runtime creates token map
β serializes + encrypts with AES-256-GCM
β returns encrypted blob as session_state
β client stores blob (opaque, tamper-proof)
Rehydrate request β client sends session_state blob back
β runtime verifies GCM authentication tag
β decrypts β resolves tokens β restores values
β no server-side state required
Why this matters architecturally:
| Property | Sealed Sessions | Server-Side Sessions |
|---|---|---|
| Server state | Zero | Requires Redis/DB |
| Horizontal scaling | Trivial, any instance can handle any request | Requires shared session store |
| Failure mode | If blob is lost, rehydration fails gracefully | If Redis is down, everything fails |
| Tamper detection | GCM auth tag, bit-level integrity | Requires HMAC layer on top |
| Multi-turn | Pass blob forward, new blobs for new turns | Session ID + TTL management |
The sealed session envelope contains session ID, tenant ID, policy version, expiration timestamp, and the encrypted token map. All verified by the GCM authentication tag. If a single bit changes, the entire blob is rejected. Fail closed, always.
Token Repair: Handling LLM Imperfections
LLMs are not perfect text processors. When you send {{person:p_001}}, the model might return:
| Mutation | Example | Frequency |
|---|---|---|
| Missing outer braces | {person:p_001} | ~1-2% |
| Capitalized type | {{Person:p_001}} | ~0.5-1% |
| Added spaces | {{ person:p_001 }} | ~0.5% |
| Truncated at token boundary | {{person:p_001 | ~0.3% |
| Split across lines | {{person:\np_001}} | ~0.1% |
A production system needs a three-stage repair pipeline:
- Strict parse: canonical
{{type:id}}regex. Handles ~97% of cases. - Deterministic repair: known mutation patterns (missing braces, case normalization, whitespace collapse). Catches ~2.5%.
- Fuzzy resolve: Levenshtein distance against known tokens in the session. Last resort for the remaining ~0.5%.
Without token repair, your customer-facing emails contain {{person:p_001}} instead of a name. We've seen this happen at ~2-5% rate across different model providers. Some models (GPT-4o, Claude) preserve tokens well; smaller or local models are worse.
Output Guard: Catching Hallucinated PII
Here's a risk most teams miss: the LLM might hallucinate PII that wasn't in the original input. We cover more AI failure modes in a dedicated guide, but this one deserves special attention.
If you ask the model to write a response to {{person:p_001}}, it might invent a phone number, an address, or a colleague's name from its training data. This hallucinated PII is not protected by your tokenization because it was never tokenized.
The solution: a second-pass output guard that runs the detection pipeline on the model's response. If it finds PII that doesn't match any known token in the session, it flags or removes it.
βββββββββββββββββ βββββββββββββββββ βββββββββββββββββ
β LLM Response ββββββΆβ Token Repair ββββββΆβ Output Guard β
β (with tokens)β β (3-stage) β β (detect NEW β
β β β β β PII in output)β
βββββββββββββββββ βββββββββββββββββ ββββββββββ¬ββββββββ
β
βββββββββΌββββββββ
β Rehydrate β
β (restore knownβ
β tokens only) β
βββββββββββββββββ
The model invented a phone number? Caught. Mentioned a real person's name from training data? Caught. Referenced a real company that wasn't in the input? Flagged for review.
Language-Aware Rehydration
German is just the beginning. Every language has grammatical rules that interact with personal data:
| Language | Challenge | Correct Output | Broken Output (naive masking) |
|---|---|---|---|
| German | Gendered formal address | "Sehr geehrte Frau Mustermann" | "Sehr geehrte [NAME]" |
| German | Grammatical case | "Schreiben Sie Herrn Mustermann" (accusative) | "Schreiben Sie [NAME]" |
| Arabic | Honorific prefix + RTL | "Ψ§ΩΨ³ΩΨ―Ψ© Ω ΩΨ³ΨͺΨ±Ω Ψ§Ω Ψ§ΩΩ ΨΨͺΨ±Ω Ψ©" | "[NAME]" |
| French | Gendered articles | "Chère Madame Mustermann" | "Cher/Chère [NAME]" |
| English | Register control | "Dear Ms. Mustermann" vs "Hi Sara" | "Dear [NAME]" |
The token metadata (gender, formality, language) enables correct rehydration in any language. The formatted restore mode applies language-specific rules:
- German formal female: "Frau" + full name β "Frau Sara Mustermann"
- German formal male: "Herr" + full name β "Herr Refaat K."
- Arabic formal female: honorific prefix in RTL β "Ψ§ΩΨ³ΩΨ―Ψ© Ω ΩΨ³ΨͺΨ±Ω Ψ§Ω"
- French formal female: "Madame" + family name β "Madame Mustermann"
The LLM produces the right grammatical structure because it knows the token represents a formal female recipient. It doesn't know her name. But the output is grammatically perfect.
Audit Trails That Don't Create New Liabilities
Your logging infrastructure becomes a GDPR liability the moment you log raw prompts. Your Datadog, CloudWatch, and Elasticsearch all become systems that process personal data. Each one then requires its own GDPR documentation, retention policies, and data subject access procedures.
The rule: log tokens, never values.
// Correct: audit-safe structured log
{
"event": "transform_complete",
"session_id": "ses_a8f3c2",
"entities_detected": 3,
"entity_types": ["person", "email", "customer_id"],
"token_ids": ["p_001", "e_001", "cid_001"],
"policy_applied": "german-support",
"protection_levels": [2, 2, 2],
"detection_time_ms": 8,
"transform_time_ms": 12
}
// Wrong: PII in logs. Now your entire log pipeline is GDPR-regulated
{
"event": "transform_complete",
"original_name": "Sara Mustermann", // PII in logs!
"original_email": "sara.mustermann@beispiel.de", // PII in logs!
"prompt": "Hallo, ich bin Sara Mustermann..." // PII in logs!
}
Every operation is fully auditable: you can trace that p_001 was detected by ner_spacy with confidence 0.95, tokenized under the german-support policy, and restored with formatted mode on the customer_email channel. You can reconstruct the complete chain. But the audit trail itself contains zero PII.
This satisfies:
- GDPR Art. 30: Records of processing activities. You can demonstrate exactly what happens with personal data.
- GDPR Art. 35: Data Protection Impact Assessment. Your audit trail proves the architecture works without itself being a data risk.
- GDPR Art. 5(1)(c): Data minimization. Only necessary data is processed, and only in tokenized form outside the trust boundary.
CRM Copilot: Same Data, Different Channels
Let's look at a CRM scenario where the same input produces different outputs per channel. This is the kind of custom software architecture we build for enterprise clients on a regular basis.
CRM record input:
{
"contact_name": "Refaat K.",
"email": "r.k@oronts.com",
"company": "Oronts GmbH",
"deal_value": "β¬125,000",
"quote_id": "Q-2026-0847",
"last_interaction": "Discussed pricing, needs board approval"
}
Tokenized prompt to LLM:
Draft a follow-up email to {{person:p_001}} at {{company:c_001}}.
Context: discussed pricing, needs board approval.
Deal reference: {{order:o_001}}.
Tone: professional, friendly, not pushy.
The LLM never sees "Refaat K.", "Oronts GmbH", "β¬125,000", or the quote ID. It drafts a follow-up email with tokens.
Policy decisions per entity and output channel:
| Entity | Type | customer_email | internal_summary | analytics_export |
|---|---|---|---|---|
| Refaat K. | person | full | full | abstract |
| r.k@oronts.com | none (not in body) | full | none | |
| Oronts GmbH | company | full | full | abstract |
| β¬125,000 | order | none (never outbound) | full | abstract |
| Q-2026-0847 | order | full (needed as ref) | full | none |
Same tokenization. Three completely different outputs. The customer email contains the name and quote reference but never the deal value. The internal summary contains everything. The analytics export contains only anonymized aggregates.
Implementation Roadmap
If this feels like a lot to implement on your own, our consulting team has guided multiple enterprise clients through this exact process. You can also request a quote for a trust boundary architecture review.
Phase 1: Map Your Data Flows
- Inventory every place PII enters your AI pipeline (prompts, RAG chunks, tool calls, agent memory, error messages, logs)
- Identify what data the LLM actually needs vs what it currently receives
- Draw the trust boundary: what stays inside, what crosses
Phase 2: Build Detection
- Start with regex for structured PII (emails, phones, IBANs). This is fast and high-precision.
- Add NER for names and addresses. Use spaCy or transformers with language-specific models.
- Set confidence thresholds: 0.95+ for regex, 0.70+ for NER
- Test false-negative rate. Missed PII is worse than false positives.
Phase 3: Implement Tokenization
- Define your token format (
{{type:id}}) and metadata schema - Build the session mapping with sealed encryption (AES-256-GCM)
- Implement protection levels per entity type
- Create policies per output channel
Phase 4: Rehydration Pipeline
- Token repair (strict β deterministic β fuzzy)
- Output guard (detect hallucinated PII in model responses)
- Policy-driven restore modes per channel
- Language-aware formatting (gendered address, honorifics)
Phase 5: Compliance Integration
- Structured audit logging (token IDs, never values)
- GDPR Art. 30 processing records
- GDPR Art. 35 DPIA with architecture evidence
- Integrate with your DPO's review process
- See our trust and compliance overview for how we document these guarantees for clients
Common Pitfalls
- Logging raw prompts. Your Datadog becomes a GDPR-regulated system overnight. Log token IDs, never values.
- Skipping token repair. 2-5% of LLM responses will have mangled tokens. Your customer sees
{{person:p_001}}instead of a name. - No output guard. The model hallucinates PII from training data. You just leaked someone else's real phone number.
- Same restore mode everywhere. Customer emails and analytics dashboards need fundamentally different levels of detail.
- Ignoring agent workflows. A 5-step agent has 5+ leak points. Protecting only the final LLM call is like locking the front door with windows open.
- "Let's self-host our own LLM." Costs 10x more, takes 6+ months, and you still need data governance. The problem is architecture, not hosting.
- Treating compliance as afterthought. Legal will block your deployment six weeks before launch. Involve them from day one.
- No sealed sessions. Server-side session state means your Redis cluster becomes a single point of failure for every AI request.
- Language-unaware masking.
[NAME]in German formal correspondence is an immediate professional credibility loss. - Embedding PII in vectors. Your vector database becomes the largest unaudited PII store in your infrastructure.
Key Takeaways
- The trust boundary is an architecture decision, not a library. Draw it, enforce it at every crossing, audit it without PII in logs.
- Semantic tokenization preserves AI quality where naive masking destroys it. The model gets gender, formality, and language metadata. That's enough for correct grammar without raw values.
- Three protection levels match real-world data sensitivity: hard-mask the regulated, tokenize the useful, abstract the metadata.
- Policy-driven restore means one tokenization serves all channels: customer emails get formatted names, analytics gets abstract labels, logs get nothing.
- Agentic workflows multiply risk exponentially. Every tool call, every reasoning step, every memory write is a potential leak point. Protect every boundary crossing.
- Sealed sessions eliminate server state. AES-256-GCM encrypted blobs travel with the request, scale horizontally, and fail closed on tampering.
- Language-aware rehydration is the difference between "Dear [NAME]" and "Sehr geehrte Frau Mustermann". That difference determines whether your enterprise client approves the system.
Building AI systems that are both powerful and GDPR-compliant isn't a contradiction. It's an architecture problem. The solution is about drawing the right trust boundaries, preserving the right metadata, and controlling restoration per output channel.
We built OGuardAI as an open-source runtime for exactly this problem. Detect, transform, rehydrate with semantic tokenization, sealed sessions, and policy-driven restore. It's the architecture described in this article, packaged as a production-ready system.
If you're evaluating AI architectures for your business, our AI services cover the full stack from trust boundary design to production deployment. You can also explore our approach to data protection and compliance, or read more about how we handle enterprise AI orchestration and AI governance in production.
Ready to design a GDPR-compliant AI architecture? Talk to our team or request a quote. We've shipped this for production systems processing thousands of customer interactions daily across German, Arabic, French, and English.
Topics covered
Related Guides
Enterprise Guide to Agentic AI Systems
Technical guide to agentic AI systems in enterprise environments. Learn the architecture, capabilities, and applications of autonomous AI agents.
Read guideAgentic Commerce: How to Let AI Agents Buy Things Safely
How to design governed AI agent-initiated commerce. Policy engines, HITL approval gates, HMAC receipts, idempotency, tenant scoping, and the full Agentic Checkout Protocol.
Read guideThe 9 Places Your AI System Leaks Data (and How to Seal Each One)
A systematic map of every place data leaks in AI systems. Prompts, embeddings, logs, tool calls, agent memory, error messages, cache, fine-tuning data, and agent handoffs.
Read guideReady to build production AI systems?
Our team specializes in building production-ready AI systems. Let's discuss how we can help transform your enterprise with cutting-edge technology.
Start a conversation