Compliance & data protection
Built to help you pass the audit.
AIovert maps directly to GDPR, the EU AI Act, and your DPIA process, and the architecture means there's less to assess in the first place.
Regulatory mapping last reviewed:
Data residency promise
Classification happens on-device. Zero raw content leaves the EU.
Only the classification label, the domain, and a one-way hash are ever transmitted. The raw text never leaves the employee's browser.
GDPR
GDPR article breakdown.
The articles that apply when employees use AI tools, and how AIovert addresses each.
Lawful basis for processing
AIovert prevents personal data reaching AI tools where no lawful basis exists, and logs every attempt so you can demonstrate control.
Special-category data
Health, biometric, and other sensitive classes are detected on-device and blocked before they reach a model that has no Article 9 condition.
Processor & sub-processor duties
Stops staff turning a public LLM into an unvetted sub-processor outside your DPAs, with an audit trail per company.
Security of processing
On-device blocking plus monitoring is an appropriate technical measure: raw content never leaves the browser.
International transfers
Classification is local, so no personal data is transferred to a third country via the AI tool in the first place.
EU AI Act
EU AI Act, Articles 9–15.
The high-risk system requirements, mapped to AIovert capabilities.
Risk management system
Continuous detection and logging of AI-data exposure feeds your ongoing risk-management process.
Data governance
Controls which sensitive data classes may reach AI tools, per company policy.
Technical documentation
Exportable event records document the control and its operation.
Record-keeping / logging
Every detection is logged with severity, user, tool, and timestamp. Automatic, tamper-evident audit logs.
Transparency to users
The Guard overlay tells employees what was detected and why, in the moment.
Human oversight
Admins set policy, review events, and act on alerts. Humans stay in control of the system.
Accuracy & robustness
Deterministic on-device classifiers with confidence levels and a versioned engine for repeatable results.
DPIA
How AIovert helps you pass a DPIA.
- Describe the processing: AIovert inventories which AI tools are in use and what data classes reach them. The evidence base a DPIA needs.
- Assess necessity and proportionality: Per-company policy lets you allow what is necessary and block what is not, documented per data type and domain.
- Identify and mitigate risks: On-device blocking is the mitigation; risk scores and alerts show residual exposure over time.
- Demonstrate accountability: Exportable logs evidence the control to your DPO, board, or a supervisory authority.
DORA · Financial Services
DORA ICT risk management framework.
For banks, insurers, and investment firms under DORA, AIovert addresses the ICT risk management requirements across Chapter II directly.
ICT risk identification
AIovert continuously identifies which AI tools carry sensitive data, building a live inventory of ICT risk exposure across the organisation.
Protection and prevention
On-device blocking prevents sensitive financial data, client records, and credentials from reaching unvetted AI processors.
Detection
29 sensitive data classifications detected in milliseconds. Every incident logged with severity, tool, user, and timestamp.
Response and recovery
Real-time Slack alerts allow immediate response. Audit logs support post-incident analysis and NCA reporting obligations.
Backup and restoration
Masked-copy feature lets employees continue working safely after a block, minimising operational disruption while maintaining protection.
Learning and evolving
Versioned classifier engine (classifierVersion field on every event) lets you track which ruleset was active during any incident period.
Policy templates
Ready-to-use templates in four languages.
Pre-filled with AIovert-specific controls and evidence references. Adapted to EN, DE, FR, and ES regulatory language.
- AI Usage PolicyAvailable
- DPIA TemplateAvailable
- Incident Response ProcedureAvailable
- DPO Briefing DeckAvailable
- KI-NutzungsrichtlinieAvailable
- DSFA-VorlageAvailable
- VorfallsreaktionsverfahrenAvailable
- DSB-BriefingAvailable
- Politique d'utilisation de l'IAAvailable
- Modele AIPDAvailable
- Procedure de reponse aux incidentsAvailable
- Note DPOAvailable
- Politica de uso de IAAvailable
- Plantilla EIPDAvailable
- Procedimiento de respuesta a incidentesAvailable
- Informe DPDAvailable
Templates are provided in the dashboard under Compliance. All templates are informational starting points, not legal advice.
Supervisory authority alignment
CNIL, ICO, and AEPD guidance.
Three of Europe's most active data protection authorities have published specific guidance on AI and generative models. AIovert is built to satisfy each.
CNIL
France
AI and RGPD enforcement
AIovert's on-device architecture satisfies CNIL's requirement that personal data not be transmitted to AI providers without a lawful basis. The audit log supports the accountability principle (Art. 5(2) RGPD) in all CNIL guidance on generative AI.
ICO
United Kingdom
UK GDPR and AI guidance
AIovert's minimal-data design aligns with ICO's Guidance on AI and Data Protection. Data minimisation, purpose limitation, and accountability are satisfied by classifying on-device and transmitting only labels and hashes.
AEPD
Spain
Generative AI and LOPDGDD
AEPD's Circular on Generative AI requires risk assessments for LLM use. AIovert provides the continuous monitoring and audit evidence the AEPD expects as a technical safeguard under its guidelines.
Certifications & architecture
Less to assess by design.
SOC 2 Type II
In progressOur SOC 2 audit is underway. The badge appears here on completion.
On-device classification
Detection runs entirely in the browser. Raw text is never stored or transmitted.
EU data residency
Only classifications, domains, and hashes leave the device. Zero raw content leaves the EU.