Compliance policy — allowlist + audit + PII scrubbers + DPAs + GDPR/HIPAA

Q21 — Org enablement. Do you have a policy on PII / secrets / compliance in AI prompts?

Max-score answer: Allowlist + log audit + PII scrubbers + DPAs with vendors + GDPR/HIPAA mapping.

Why it matters: Regulators are catching up fast. By the time you need this it’s too late to retrofit — the audit trail starts when you turn on the policy.

If engineers paste customer data, secrets, or regulated content into Claude, Cursor, Codex, ChatGPT, Copilot, or any agent runner — and you cannot answer “yes” to every layer below — risk compounds silently. A DPA-less prompt that leaves the laptop cannot be “un-sent.” The forward-looking version of you wants logs that begin before the incident.

Every layer below is implementable in two weeks with ownership — mostly one-time configuration plus runtime plumbing.

Why this matters in 2026 (regulator pace, retrofit pain)

Three forces collided in 2026:

Regulators caught up. GDPR enforcement against AI processors became routine. The EU AI Act’s GPAI transparency obligations started biting. US state privacy laws (Colorado, California, Texas) clarified that LLM providers are processors. HIPAA OCR confirmed PHI in prompts without a BAA is a reportable disclosure. The “we did not know” defence expired.
Vendor terms shifted under your feet. Anthropic’s commercial terms refresh took effect 1 January 2026 with the GDPR DPA incorporated by reference. From 7 January 2026, Microsoft 365 Copilot started routing to Anthropic by default for most commercial tenants — your tenant may already be hitting a new processor under Microsoft’s umbrella DPA. OpenAI’s DPA covers API and Enterprise but excludes ChatGPT Free/Plus.
Retrofit is hard. When a regulator asks “show me every prompt containing EU personal data in the last 12 months,” you cannot reconstruct from memory. Either you logged it or you didn’t. Either there’s a DPA or there isn’t. No Plan B.

The cost of starting late is roughly linear in months of unlogged usage.

What “max score” actually looks like (5-layer model)

Max-score Q21 is a stack. Each layer fails open without the one above it.

Layer 1 — Model allowlist

Only DPA-covered models touch customer data. Everything else routes through a gateway that rejects regulated payloads.

Layer 2 — Vendor DPAs

Signed (or auto-incorporated) DPAs with Anthropic, OpenAI, Microsoft, Cursor, GitHub, plus your gateway provider. BAAs where PHI is in scope.

Layer 3 — PII scrubbers

Inline redaction of PII / PHI / secrets before the prompt leaves your perimeter. Local-first wherever practical.

Layer 4 — Prompt-level audit

Every prompt, response, model, user, project, scrub-decision, and timestamp logged. Retention policy aligned to regulator expectations.

Layer 5 — GDPR/HIPAA mapping

A written, version-controlled map: which models are in-scope for which regimes, what lawful basis applies, what the data subject rights pathway is.

If you stop at Layer 2 you have “decent paperwork, no enforcement.” If you stop at Layer 3 you have “scrubbed but unknowable.” Max score is the whole stack working together.

Current landscape (web-search-verified)

Model class allowlist (only DPA-covered models touch customer data)

An allowlist is a server-side list of (provider, model-id, region, data-class) tuples your AI gateway accepts. Everything else is a hard reject. The mental model is network egress: by default, deny.

A starter allowlist for a Series A SaaS:

Tier A — Customer-data-eligible. Models under a vendor DPA in a region you control. 2026 examples: Anthropic Claude via Anthropic API (DPA auto-incorporated 1 Jan 2026), Claude via Amazon Bedrock eu-central-1 under your AWS DPA, OpenAI GPT via Enterprise API with DPA + Zero Data Retention, Azure OpenAI in an EU region under Microsoft’s DPA.
Tier B — Internal-only. Acceptable for code and public docs — never customer payloads. Same model IDs may apply, but routed through a path that strips identifiers.
Tier C — Personal use only. ChatGPT Free/Plus personal, Claude.ai personal, Gemini personal. No business data. Enforced via training and DLP.

The allowlist must live somewhere reviewable — a YAML file in a policy/ repo, or a Terraform module. “In someone’s head” fails. If you cannot diff it between two dates, you cannot audit it.

Vendor DPAs (Anthropic, OpenAI, Cursor — current state 2026)

2026 state of play for the vendors developers actually use:

Anthropic. Commercial terms refreshed 1 January 2026. DPA auto-incorporated on accepting Commercial Terms — no separate signature. Anthropic is processor; you are controller. API I/O retained 30 days for trust & safety, then deleted. API data not used to train. Sub-processor list published; 15-day change notice. SCCs included.
OpenAI. DPA self-serve via Platform → Settings → Organization. Covers API and Enterprise — not ChatGPT Free or Plus. Zero Data Retention available on request for qualifying API customers. BAAs available on Enterprise.
Cursor / Anysphere. Privacy Mode (default for new orgs) means prompts and code aren’t retained beyond the request and not used for training. DPA on Business tier. Subtlety: Cursor routes to multiple upstream providers — your Cursor DPA is necessary but not sufficient.
GitHub Copilot. Microsoft DPA via Product Terms covers Business and Enterprise. Individual tier not in scope — block at SSO.
Microsoft 365 Copilot. From 7 January 2026, most commercial tenants started routing to Anthropic by default under Microsoft’s umbrella DPA. Admins can opt out; most won’t. DPA covers it, but your mapping must reflect that the underlying model can shift without your direct action.
Google Gemini. Workspace DPA covers Gemini for Workspace. Consumer Gemini out of scope.

PII scrubbers (Presidio, Cloudflare AI Gateway, custom)

Scrubbing happens at three possible layers; you usually want at least two.

Client-side / IDE. Pre-prompt hook that detects and redacts before keystrokes leave the laptop. For Cursor and Claude Code, wire as a pre-tool-use hook. Best for secrets (AWS keys, JWTs, DB URLs) where the value is unambiguous.
Gateway. Inline filtering. Open source: Microsoft Presidio (mature, configurable recognizers, regex + ML detectors), pii-codex, scrubadub. Commercial: Cloudflare AI Gateway, Kong AI Gateway PII sanitization plugin, Gravitee PII Filtering Policy. The gateway is the right place for policy enforcement — what to redact, what to block, what to allow with a warning.
Local SLM (“AI firewall”). Small local model that pre-processes prompts. Useful for fuzzy cases (free-text customer notes with PHI) where regex misses. Adds latency.

Configuration that pays for itself on day one:

Detect and block: live credentials, customer DB URLs, private keys, full card numbers, full national IDs.
Detect and redact: emails, IPs, names in customer-record contexts, phone numbers, DOBs.
Detect and flag (allow but log): partial identifiers, IP-like patterns in logs, healthcare terminology on non-BAA models.

The scrubber’s decision is itself an audit event — feed it into Layer 4.

Log audit (every prompt logged with provenance, retention policy)

The minimum schema for a prompt log row:

Request ID
Timestamp (UTC, monotonic, signed if you can)
User ID and authentication method
Project / workspace / repo
Source application (Cursor, Claude Code, internal agent, web)
Target provider and model ID
Data classification of the request (none / internal / customer / PHI / payments)
Scrubber verdict and a digest of redactions applied
Prompt hash (or full prompt, per your retention policy)
Response hash (or full response)
Token counts
DPA reference (which vendor DPA covered this call)

Retention rules that hold up to scrutiny:

13 months minimum for general AI usage logs (one full annual review cycle plus a month).
6 years for HIPAA-covered traffic (matches HIPAA retention requirements).
5 years for SOX-relevant traffic if you are a public company or audit-track.
Encrypted at rest; access logged; redaction available for data-subject erasure requests.

Cloudflare AI Gateway, Langfuse, Helicone, and PostHog LLM observability all ship reasonable defaults here. Pick one, wire it up before anyone writes a feature on top of it. Retrofit cost is high.

One page per regime, version-controlled, owned by a named person.

GDPR mapping should answer:

Who is controller for each AI use case (almost always: you)?
Who is processor (Anthropic, OpenAI, Microsoft, Cursor)?
Lawful basis (legitimate interest for internal productivity; consent often required for customer-data-touching agents)?
Geographic flow (EU → US under SCCs default; UK IDTA addendum for UK subjects)?
Data-subject rights pathway: on erasure requests, how do you scrub prompt logs, scrubber audit trails, and agent-derived caches?
DPIA coverage: which use cases triggered a DPIA, where do documents live?

HIPAA mapping should answer:

Which workflows touch PHI? Usually: support agents, EHR-adjacent tooling, anything ingesting medical records.
Which models are on a BAA? (2026 typical: Claude via AWS Bedrock with BAA, OpenAI Enterprise with BAA, Azure OpenAI with BAA.)
Minimum-necessary rule applied to prompts? (Scrubbers redact MRN, full name, DOB where not required.)
Breach response runbook: if a PHI prompt hits a non-BAA model, how is it detected, contained, reported?

Bind a quarterly review to your security review cycle.

Step-by-step: rolling out compliance

Name an owner. A single named person — usually CTO, Head of Security, or DPO — who can say “this is final.” Without an owner, every layer drifts.
Inventory current AI usage. Run a one-week passive observation: PostHog events, SSO logs, browser extension telemetry, IDE usage analytics. Find every model, every account, every shadow-IT subscription. Expect surprises.
Draft the allowlist. Start strict. Tier A = the two or three model IDs you can defend in writing. Everything else goes to Tier B or C. Publish it.
Sign and file the DPAs. Anthropic auto-incorporates; OpenAI is a self-serve form; Microsoft is in your tenant admin; Cursor Business is a manual step. Store PDF hashes and effective dates in compliance/vendor-dpas.md.
Stand up the AI gateway. Cloudflare AI Gateway, Kong AI Gateway, or your own thin proxy. Route 100% of Tier A and Tier B traffic through it. Tier C is blocked at the SSO / DLP layer.
Wire scrubbers. Presidio at the gateway, plus a pre-prompt hook in Claude Code and Cursor for secrets-class detections. Test against a synthetic PII corpus before turning on enforcement.
Turn on audit logging. Every gateway call → log row. Wire to Langfuse, Helicone, or a D1/Postgres table you own. Verify the retention policy fires.
Write the GDPR and HIPAA maps. One page each. Get the DPO, legal, and engineering lead to sign off. Calendar a quarterly review.
Roll out training. 30-minute org-wide session: here is the allowlist, here is what scrubbers catch, here is what to do if you accidentally paste a secret. Repeat every six months.
Run a fire drill. Synthetic incident: an engineer pastes a fake patient record into a non-BAA model. Do the logs show it? Did the scrubber catch it? Did the gateway block it? How fast did you find out? Fix what failed.

Common pitfalls

No scrubbers. “We told people not to paste customer data” is not a control. Humans paste. Build the rail.
No audit log. Without per-prompt logs, you cannot answer regulator questions and you cannot run incident response. The first 30 days of usage you fail to log are gone forever.
No DPA. Free-tier ChatGPT and personal Claude.ai accounts have no DPA. Block them at the SSO and DLP layers, not via a polite Slack message.
Vendor switch without re-DPA. Microsoft 365 Copilot quietly enabled Anthropic models in January 2026 under its umbrella DPA. That kind of routing change happens constantly. Your mapping must reflect underlying processors, not just the surface vendor.
One scrubber for everything. Regex catches secrets; ML catches names; neither alone catches everything. Layer them.
Logs without retention policy. Storing prompts forever is its own GDPR liability. Pick a retention window per data class and enforce deletion.
No BAA where PHI is in scope. Anthropic, OpenAI, Azure OpenAI, and Bedrock all offer BAAs on the right tier. If you handle PHI without one, every prompt is a reportable incident waiting to be discovered.
Treating it as one-and-done. Sub-processor lists change, vendor terms refresh, your product touches new data types. Quarterly review is the floor.

How to verify you’re there

A practical checklist you can run in 30 minutes:

Can you produce, from a single source, the list of model IDs allowed for customer data this week? Yes / no.
Pick a random model in the allowlist. Can you produce the signed DPA, its effective date, and the sub-processor list it references? Yes / no.
Pick a random prompt sent yesterday. Can you produce the user, project, scrubber verdict, redactions applied, model, region, and retention expiry? Yes / no.
Synthetic test: paste a fake AWS access key into Cursor. Is it blocked at the pre-prompt layer, the gateway, or both? Yes / no.
Synthetic test: paste a fake patient name into a non-BAA model via the API. Is it redacted? Logged? Alerted on? Yes / no.
Open your GDPR mapping document. Was it reviewed in the last 90 days? Yes / no.
Open your HIPAA mapping document (or “not applicable” with a written rationale). Was it reviewed in the last 90 days? Yes / no.
Ask a random engineer where the allowlist lives. Do they know? Yes / no.

Eight yes answers is max score. Anything less, you have a known gap — write it down and close it.