GDPR-Compliant AI — Use ChatGPT & Claude Without Breaking EU Rules
ChatWall lets European companies use the best AI models on the market — ChatGPT, Claude, Gemini, Copilot — while keeping personal data inside the EU and out of US-based LLM providers. Masking is performed locally, so no personal data ever crosses a border.
How ChatWall makes GDPR work for LLMs
- Data minimization (Art. 5(1)(c)). Only tokens like
[NAME_1]reach the LLM — the absolute minimum needed to get a useful answer. - No international transfer of personal data. The mapping table never leaves the EU device. Tokenized text is not personal data once the mapping is local.
- No new sub-processor. Browser-side processing means no extra DPA is required to deploy the extension.
- Right to erasure stays meaningful. Personal data is never persisted on a third-party server, so there is nothing to chase down later.
- Records of processing. ChatWall Box logs every prompt (tokenized) and decision for Art. 30 audit trails.
- EU residency by design. Box deploys in your own Docker stack — French, German, Luxembourg, Dutch sovereign cloud, or fully on-premise.
GDPR snapshot
| GDPR concern | Public LLM alone | With ChatWall |
|---|---|---|
| Personal data sent to a US provider | Yes | No (tokens only) |
| International transfer (Ch. V) | Yes — requires SCCs / TIA | Not for personal data |
| New sub-processor for extension | — | None (local) |
| Right to erasure feasible | Depends on provider | Trivial — never stored |
| EU-only deployment option | No | Yes (ChatWall Box) |
For DPOs and security leads
ChatWall is built by an EU team. The code is source-available on GitHub so DPOs can include it in a DPIA without relying on vendor claims. The on-premise ChatWall Box ships as a Docker image you run inside your own VPC — no data, logs or telemetry ever leave your infrastructure.
FAQ
Does tokenized text count as personal data under GDPR?
If the mapping table that links tokens back to real identifiers is held only on the user's device (extension) or inside your own VPC (Box), then the third-party LLM sees pseudonymized text it cannot re-identify — significantly reducing GDPR exposure on that processor. Your DPO should confirm based on your specific setup.
Do we still need an EU AI Act assessment?
Yes — the EU AI Act applies to your use case, not to ChatWall. But masking personal data before it reaches the model materially reduces the risk profile of many use cases (especially "limited" or "high" risk processing of personal data).
Can we deploy ChatWall entirely on EU soil?
Yes. ChatWall Box is a Docker container that runs in your own infrastructure — OVH, Scaleway, Outscale, German sovereign cloud, on-prem datacenter — your choice.
What about the Schrems II / TIA requirement?
The TIA exists because personal data crosses to the US. If you mask personal data on-device first, the data sent to the US-based LLM is pseudonymized and no longer identifies an EU data subject — which materially changes the TIA outcome.