Global Privacy & Regulatory Compliance

EDDI provides built-in compliance for GDPR, CCPA, EU AI Act, HIPAA, PIPEDA, LGPD, APPI, POPIA, PDPA, Malaysia PDPA, PIPL, and more — with cascade data erasure, cryptographic audit trails, and one unified API.

Get Started → View on GitHub ↗

Compliance by Architecture

Regulated industries cannot bolt compliance onto AI systems after the fact. EDDI embeds the technical foundations for global regulatory compliance into the platform architecture itself — immutable audit trails, cascade data erasure, processing restrictions, cryptographic integrity, and role-based access control are core capabilities, not add-ons. One unified API covers data subject rights for every jurisdiction.

AI Governance Frameworks

As governments worldwide introduce AI-specific legislation, organizations need platforms that provide transparency, traceability, and human oversight from day one. EDDI's architecture addresses the core technical requirements of major AI governance frameworks.

EU AI Act — European Union

The EU AI Act (Regulation 2024/1689) is the world's first comprehensive AI law, establishing risk-based requirements for AI systems. EDDI provides the technical foundations for compliance with its high-risk AI system requirements:

Immutable Audit Trails — Every operation recorded with HMAC-SHA256 cryptographic integrity (Art. 12 — Record-Keeping)
Decision Transparency — Full pipeline tracing shows how AI decisions were made, including model name, prompt, and response (Art. 13 — Transparency)
Human Oversight — Management UI enables human review, intervention, and emergency stop (Art. 14 — Human Oversight)
Risk Classification — Architecture supports high-risk AI system requirements with configurable controls (Art. 9 — Risk Management)
Reproducibility — Configuration-as-code enables exact reproduction of AI behavior for regulatory audits (Art. 17 — Quality Management)
Data Governance — OIDC/Keycloak RBAC, vault-based secret management, input/output logging (Art. 10 — Data Governance)

NIST AI Risk Management Framework — United States

The NIST AI RMF (AI 100-1) provides a voluntary framework for managing AI risks across four functions: Govern, Map, Measure, and Manage. EDDI's architecture provides technical capabilities that support organizations pursuing NIST AI RMF alignment:

Govern — RBAC roles (eddi-admin, eddi-editor, eddi-viewer), immutable audit ledger, and documented data flows support AI governance structures
Map — Pipeline tracing and conversation logging enable comprehensive AI risk identification and documentation
Measure — Prometheus metrics, token/cost tracking, and per-agent usage analytics provide measurable AI performance and risk indicators
Manage — Processing restriction API, human oversight via Manager UI, and configurable retention policies enable risk mitigation controls

ISO/IEC 42001 — AI Management Systems

ISO/IEC 42001:2023 establishes requirements for an AI Management System (AIMS). EDDI provides technical capabilities that support organizations pursuing ISO 42001 certification:

Documented AI Policies — Configuration-as-code means all agent behavior is defined in auditable JSON — rules, workflows, LLM configurations, and deployment descriptors
Risk Assessment — Audit trails capture complete decision histories for risk evaluation and impact assessments
Operational Controls — RBAC, vault-based secret management, and processing restrictions provide operational governance
Performance Monitoring — Prometheus metrics, Grafana dashboards, and CQRS telemetry enable continuous AI performance evaluation

Data Privacy Regulations

EDDI provides unified data subject rights endpoints that satisfy the technical requirements of every major privacy regulation worldwide. One API covers cascade erasure, full data export, and processing restriction — regardless of jurisdiction.

GDPR — European Union / EEA

The General Data Protection Regulation (EU 2016/679) is the gold standard for data privacy. EDDI implements GDPR data subject rights as first-class API endpoints backed by cascade operations across all 5 data stores:

CCPA / CPRA — California, United States

The California Consumer Privacy Act and California Privacy Rights Act grant consumers rights to know, delete, and opt out of data sales. EDDI satisfies CCPA's technical requirements through its GDPR-compatible API:

Right to Know (§1798.100) — The GDPR export endpoint provides all personal information in a structured, machine-readable format
Right to Delete (§1798.105) — The GDPR erasure endpoint provides cascade deletion across all data stores
Do Not Sell (§1798.120) — EDDI architecturally cannot sell personal information — it is middleware infrastructure that processes data exclusively on behalf of the deployer

PIPEDA — Canada

Canada's Personal Information Protection and Electronic Documents Act (2000, amended 2023) governs commercial data processing through 10 Fair Information Principles. EDDI's architecture maps directly to each principle:

Accountability — Immutable HMAC-signed audit ledger traces all operations
Limiting Collection — Token-aware windowing limits data sent to LLMs; configurable retention auto-deletes old conversations
Limiting Use/Disclosure — Data used only for configured agent interactions; audit trail logs every LLM invocation
Safeguards — AES-256-GCM envelope encryption (Secrets Vault), HMAC-SHA256 audit integrity, Keycloak OIDC, RBAC
Individual Access — Full data export via REST API returns all memories, conversations, and managed conversation mappings as JSON
Challenging Compliance — Cascade deletion across all 5 data stores; audit trail pseudonymized (not deleted) for legal retention obligations

LGPD — Brazil

Brazil's Lei Geral de Proteção de Dados (2018, effective 2020) grants extensive data subject rights closely mirroring GDPR. EDDI covers all Article 18 rights with built-in technical capabilities:

Access to Data (Art. 18, II) — Full JSON data export
Correction (Art. 18, III) — User memories updatable via PUT /usermemorystore/memories
Anonymization/Deletion (Art. 18, IV) — Cascade deletion with SHA-256 pseudonymization of audit records
Data Portability (Art. 18, V) — Machine-readable JSON export includes all user data
Deletion of Unnecessary Data (Art. 18, VI) — Configurable retention policies with automatic cleanup
Consent Revocation (Art. 18, IX) — End conversation and cascade delete endpoints provide the technical mechanism

APPI — Japan

Japan's Act on the Protection of Personal Information (2003, significantly amended 2022) is one of Asia's most mature data protection laws. Japan holds an EU adequacy decision, facilitating cross-border data flows. EDDI provides:

Security Measures (Art. 23) — AES-256-GCM vault encryption, HMAC-SHA256 audit integrity, Keycloak OIDC, RBAC, SSRF protection
Disclosure to Data Subjects (Art. 33) — Full data export via REST API
Correction and Deletion (Art. 34-35) — Memory updates for correction; cascade deletion for erasure
Pseudonymized Information (2022 amendment) — GDPR erasure uses SHA-256 pseudonymization, satisfying APPI's pseudonymized information category
Cross-Border Transfer Documentation (Art. 28) — LLM provider data flows documented; audit trail records which model/provider processed each turn

POPIA — South Africa

South Africa's Protection of Personal Information Act (2013, effective 2021) establishes 8 data processing conditions aligned with EU standards. EDDI provides built-in technical capabilities for each condition:

Accountability (Condition 1) — HMAC-signed audit ledger, documented data flows, Apache 2.0 open-source code
Processing Limitation (Condition 2) — Token-aware windowing, configurable retention, idle conversation auto-end
Information Quality (Condition 5) — Timestamped, versioned conversation state; user memories updatable via REST API
Security Safeguards (Condition 7) — AES-256-GCM encryption, HMAC integrity, Keycloak OIDC, RBAC, SSRF protection
Data Subject Participation (Condition 8) — Full data export and cascade deletion endpoints

PDPA — Singapore & Thailand

The Personal Data Protection Acts in Singapore (2012, amended 2021) and Thailand (2019, effective 2022) are Southeast Asia's most mature privacy frameworks. EDDI covers the technical obligations of both jurisdictions:

Access Obligation — Full data export via REST API and MCP tools
Correction Obligation — User memories updatable via REST API
Protection Obligation — AES-256-GCM encryption, HMAC audit integrity, Keycloak OIDC, RBAC
Retention Limitation — Configurable auto-cleanup with idle conversation timeout
Data Breach Notification — Incident response runbook template included in EDDI documentation

PDPA — Malaysia

Malaysia's Personal Data Protection Act 2010 (Act 709, amended 2024) governs commercial processing of personal data through 7 data protection principles. EDDI provides the technical controls to support deployer compliance:

General Principle (§6) — Configurable retention policies and processing-restriction endpoint support purpose-limited, consent-based processing
Security Principle (§9) — AES-256-GCM vault encryption, HMAC-SHA256 audit integrity, Keycloak OIDC, RBAC, SSRF protection
Retention Principle (§10) — Configurable per-category retention with automatic cleanup; idle conversation auto-end
Data Integrity Principle (§11) — Timestamped, versioned conversation state; user memories updatable via REST API
Access Principle (§12) — Full data export via GET /admin/gdpr/{userId}/export returns all user data as structured JSON
Cross-Border Transfers (§129) — Self-hosted architecture enables deployers to control data residency; audit trail documents all LLM provider data flows

PIPL — China

China's Personal Information Protection Law (2021) is one of the world's most comprehensive data protection laws, governing the processing of personal information of individuals within China. EDDI provides the technical infrastructure for PIPL-compliant deployments:

Lawful Processing (Art. 13) — Configuration-driven agent behavior ensures processing stays within defined purposes; processing restriction API freezes activity on demand
Individual Rights (Art. 44–49) — Full data export, cascade deletion, and processing restriction endpoints cover right to know, copy, correct, delete, and restrict
Data Security (Art. 51) — AES-256-GCM vault encryption, HMAC-SHA256 audit integrity, Keycloak OIDC, RBAC, zero eval()
Cross-Border Transfers (Art. 38–39) — Self-hosted architecture enables on-premises deployment within China; audit trail documents all external data flows for security assessments
Automated Decision-Making (Art. 24) — Immutable audit trails with full pipeline tracing provide transparency into AI decision-making; human oversight via Management UI
Data Retention (Art. 19) — Configurable retention policies with automatic cleanup enforce minimum-necessary storage periods

Additional Jurisdictions

UK GDPR (United Kingdom) — Substantially mirrors EU GDPR; EDDI's GDPR endpoints satisfy all UK GDPR data subject rights. ICO oversight.PIPA (South Korea) — Strict consent requirements, mandatory DPO, 72-hour breach notification. EDDI provides the technical audit and erasure infrastructure.DPDPA (India, 2023) — Consent-based framework with cross-border restrictions. EDDI's export and erasure endpoints satisfy the Digital Personal Data Protection Act requirements.Privacy Act + APPs (Australia) — 13 Australian Privacy Principles; notifiable data breach scheme. EDDI's audit trail and data export cover the technical obligations.CCPA-style state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, etc.) — The GDPR/CCPA-compatible API satisfies all emerging US state privacy laws.

Industry-Specific Compliance

HIPAA — US Healthcare

The Health Insurance Portability and Accountability Act establishes safeguards for Protected Health Information (PHI). EDDI provides the technical infrastructure for HIPAA-compliant AI deployments:

Access Controls (§164.312(a)) — Keycloak OIDC with role-based access (eddi-admin, eddi-editor, eddi-viewer)
Audit Controls (§164.312(b)) — HMAC-signed, immutable audit ledger records every operation with timestamps, user IDs, and outcomes
Integrity Controls (§164.312(c)) — HMAC-SHA256 tamper detection on all audit entries
Transmission Security (§164.312(e)) — TLS for transit; AES-256-GCM for secrets at rest via Secrets Vault
Data Disposal (§164.310(d)(2)(i)) — GDPR cascade deletion endpoint permanently removes PHI across all data stores
BAA Template — Business Associate Agreement template included in EDDI documentation for healthcare deployments

SOC 2 Readiness

SOC 2 Type II evaluates systems against Trust Services Criteria. EDDI's architecture provides technical controls that support organizations pursuing SOC 2 attestation:

Security — OIDC/Keycloak authentication, RBAC, Secrets Vault (AES-256-GCM), zero eval(), path traversal protection, URL validation
Availability — Horizontal scaling via NATS JetStream, dual database support (MongoDB/PostgreSQL), Kubernetes-native deployment
Processing Integrity — Immutable HMAC-signed audit ledger with per-operation cryptographic integrity verification
Confidentiality — Secret redaction filter scrubs API keys and vault references from audit entries; PII-safe logging with SHA-256 pseudonyms
Privacy — Full data subject rights API (erasure, export, restriction), configurable retention, processing restriction controls

One API for Global Compliance

Every privacy regulation listed above is served by the same unified REST API and MCP tools. Whether you are responding to a GDPR erasure request in Germany, a CCPA deletion request in California, or a PDPA access request in Singapore — the same endpoints handle it all:

DELETE /admin/gdpr/{userId} — Cascade erasure across 5 data stores (user memories, conversations, managed mappings, logs, audit entries)

GET /admin/gdpr/{userId}/export — Full user data export as structured JSON (memories, conversations, audit records)

POST /admin/gdpr/{userId}/restrict — Freeze processing while preserving data for dispute resolution

MCP: delete_user_data — AI-orchestrated cascade erasure (requires explicit confirmation)

MCP: export_user_data — AI-orchestrated data export for automated DSAR workflows

Built for Regulated Industries Worldwide

Healthcare, financial services, government, manufacturing, and other regulated sectors can deploy EDDI with confidence. The platform provides the transparency, auditability, and control mechanisms required by 17+ regulatory frameworks — from the EU AI Act and GDPR in Europe to HIPAA in the United States, PIPEDA in Canada, LGPD in Brazil, APPI in Japan, POPIA in South Africa, PDPA in Southeast Asia, Malaysia's PDPA, and China's PIPL. Compliance is not an afterthought — it is an architectural foundation.