GDPR Compliance¶
This guide maps SIX capabilities to General Data Protection Regulation (GDPR) requirements, with emphasis on data sovereignty, cross-border transfer verification, and the Schrems II implications for AI processing.
Self-Attested Alignment
This mapping represents architectural alignment with GDPR requirements, not formal certification or legal advice. Your Data Protection Officer (DPO) and legal counsel make the final determination of GDPR compliance. SIX provides cryptographic tools that support your data protection framework.
Why GDPR Matters for AI¶
When personal data is processed through AI systems, GDPR requires you to demonstrate:
- Where the data was processed (data sovereignty / transfer restrictions)
- That processing was lawful and documented (accountability principle)
- That data integrity was maintained (security of processing)
- That you can prove all of the above (documentation and audit)
After the Schrems II decision, proving data location is no longer optional -- it is a regulatory requirement for transfers outside the EEA.
Schrems II and Data Non-Transfer¶
The Challenge¶
The Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework in the Schrems II decision (C-311/18). Organizations must now demonstrate, on a case-by-case basis, that personal data transferred outside the EEA receives adequate protection.
For AI workloads, this creates a specific challenge: How do you prove that personal data sent to an AI model was actually processed in the required jurisdiction?
The SIX Solution¶
SIX provides cryptographic proof of data location through routing attestation:
| Schrems II Requirement | SIX Capability |
|---|---|
| Verify data was processed in the EEA | Routing field proves compute location |
| Document transfer safeguards | Signed receipts provide verifiable documentation |
| Demonstrate adequate protection | Sovereign routing enforces boundary controls |
| Enable supervisory authority review | Receipts are independently verifiable |
# Ensure EEA processing with sovereign routing
curl -X POST "$SIX_ENDPOINT/v1/chat/completions" \
-H "Authorization: Bearer $SIX_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"model": "default",
"messages": [
{"role": "user", "content": "Your prompt involving personal data"}
],
"privacy_tier": "sovereign"
}'
The receipt's routing: "sovereign" field, backed by cryptographic attestation, proves that the data was processed within the specified boundary. This is not a contractual claim -- it is a verifiable, mathematical proof.
GDPR Article Mapping¶
Article 5 -- Principles Relating to Processing¶
| Principle | GDPR Requirement | SIX Capability |
|---|---|---|
| Integrity and confidentiality (Art. 5(1)(f)) | Appropriate security of personal data | Tamper-evident receipts, sovereign routing, encrypted transit |
| Accountability (Art. 5(2)) | Demonstrate compliance with principles | Signed receipts and verification results serve as compliance evidence |
Article 24 -- Responsibility of the Controller¶
| Requirement | SIX Support |
|---|---|
| Implement appropriate technical measures | Sovereign routing, cryptographic authentication, signed receipts |
| Demonstrate that processing is GDPR-compliant | Receipt verification provides auditable compliance evidence |
Article 25 -- Data Protection by Design and by Default¶
| Requirement | SIX Support |
|---|---|
| Technical measures by design | Privacy tiers enforce data boundary controls at the routing layer |
| Data protection by default | Configurable default privacy tier for all requests |
Article 28 -- Processor Obligations¶
| Requirement | SIX Support |
|---|---|
| Sufficient guarantees of appropriate measures | Cryptographic controls provide verifiable guarantees |
| Processing only on documented instructions | API call records + receipts document every instruction |
| Auditing rights for controller | Independent receipt verification available to controllers |
Article 30 -- Records of Processing Activities¶
| Requirement | SIX Support |
|---|---|
| Maintain processing records | Every inference generates a signed, storable receipt |
| Categories of processing | Privacy tier and routing documented per receipt |
| International transfers | Routing attestation documents data location |
Articles 44-49 -- International Transfers¶
| Requirement | SIX Support |
|---|---|
| Adequate protection for transfers | Sovereign routing prevents transfers outside boundary |
| Appropriate safeguards | Cryptographic attestation proves boundary enforcement |
| Documentation of transfer assessment | Receipts provide evidence for Transfer Impact Assessments (TIA) |
Privacy Tiers and GDPR¶
SIX privacy tiers map directly to GDPR data protection requirements:
| Privacy Tier | Data Boundary | GDPR Suitability |
|---|---|---|
standard |
Provider boundary | Non-personal data workloads only |
sovereign |
Your organizational boundary | Personal data (recommended) |
confidential |
Hardware-isolated environment | Special category data (Art. 9) |
Use sovereign or confidential for personal data
The standard tier uses shared compute. For any workload involving personal data subject to GDPR, specify "privacy_tier": "sovereign" or "privacy_tier": "confidential".
Data Processing Agreement (DPA)¶
GDPR Article 28 requires a Data Processing Agreement between controllers and processors. SIX DPAs address:
| DPA Element | Coverage |
|---|---|
| Subject matter and duration | Defined per engagement |
| Nature and purpose of processing | AI inference with cryptographic attestation |
| Types of personal data | As specified by controller |
| Controller obligations | Receipt storage, verification, access control |
| Processor obligations | Sovereign routing, attestation, receipt generation |
| Sub-processor management | Documented and controllable |
| Audit rights | Independent receipt verification at any time |
| Data deletion | Configurable retention with verifiable deletion |
GDPR-compliant Data Processing Agreements are available for qualifying organizations. Contact us to discuss DPA requirements.
Request DPA discussion →
Transfer Impact Assessment (TIA) Support¶
After Schrems II, organizations must conduct Transfer Impact Assessments for data transferred outside the EEA. SIX receipts provide evidence for TIAs:
| TIA Element | SIX Evidence |
|---|---|
| Data location verification | Routing attestation in receipt |
| Technical safeguards | Encryption in transit, sovereign routing, signed receipts |
| Access control measures | Cryptographic authentication, API key management |
| Effectiveness of measures | Independent verification proves controls are active and effective |
Generating TIA Evidence¶
# Verify that all recent inferences used sovereign routing
for receipt_id in recent_receipt_ids:
result = verify_receipt(receipt_id)
assert result["status"] == "verified", \
f"Receipt {receipt_id} failed verification"
assert result["receipt"]["routing"] == "sovereign", \
f"Receipt {receipt_id} did not use sovereign routing"
tia_evidence.append({
"receipt_id": receipt_id,
"routing": result["receipt"]["routing"],
"verified": result["status"],
"attestation_integrity": result["attestation"]["integrity"],
})
# tia_evidence now documents that all processing
# occurred within the sovereign boundary
Data Subject Rights¶
SIX receipts support responses to data subject access requests (DSARs):
| Right | How SIX Helps |
|---|---|
| Right of access (Art. 15) | Receipts document what processing occurred and when |
| Right to rectification (Art. 16) | Receipts prove whether data was altered in processing |
| Right to erasure (Art. 17) | Configurable data retention with verifiable deletion |
| Right to data portability (Art. 20) | Receipts are standard JSON, portable to any system |
Special Category Data (Article 9)¶
For special category personal data (health data, biometric data, etc.), use the confidential privacy tier:
{
"model": "default",
"messages": [
{"role": "user", "content": "Process involving special category data"}
],
"privacy_tier": "confidential"
}
The confidential tier provides hardware-level isolation in addition to boundary enforcement.
Full documentation for the confidential privacy tier, including hardware attestation details and isolation guarantees, is available to NDA partners.
Request confidential tier documentation →
GDPR Compliance Checklist¶
| Item | Action | Status |
|---|---|---|
| DPA executed | Data Processing Agreement in place | |
| Privacy tier configured | sovereign or confidential for personal data |
|
| ROPA updated | Records of Processing Activities include AI workloads | |
| TIA completed | Transfer Impact Assessment using receipt evidence | |
| Receipt storage | Receipts retained per data retention policy | |
| Verification pipeline | Periodic independent verification running | |
| DSAR procedures | Procedures for using receipts in data subject requests | |
| DPO briefed | DPO understands SIX receipt and verification model | |
| Sub-processor register | SIX documented in processor/sub-processor register |
Next Steps¶
- HIPAA Compliance -- Healthcare regulatory mapping
- SOX Compliance -- Financial audit trail mapping
- Verification Overview -- Independent verification methods
- Privacy Tiers -- Detailed tier documentation