GitHub - mahadillahm4di-cyber/mh-gdpr-ai.eu: Your LLM prompt has a name in it. It just crossed the Atlantic. That's a GDPR violation. This fixes it in 3 lines.

5 min read Original article ↗

Overview

mh-gdpr-ai.eu is a sovereign AI gateway that acts as an invisible layer between your application and any LLM provider (OpenAI, Mistral, Anthropic, Llama). Every request is scanned for personal data (PII) in real-time using dual-layer detection (Microsoft Presidio NLP + regex). When PII is found, the request is automatically forced to EU-only servers. When no PII is found, it goes to the cheapest available provider. Your compliance is guaranteed. Your costs go down. Your code changes by 2 lines.

How it works in practice

  • Your app sends a prompt containing jean.dupont@company.fr to any LLM
  • The gateway detects EMAIL_ADDRESS (PII) in under 30ms using Presidio + regex
  • The request is forced to EU-only providers (Scaleway Paris, OVHcloud Gravelines) — cannot be bypassed
  • The response comes back with compliance metadata — audit-ready for your DPO
  • If no PII is detected → the request goes to the cheapest provider, any region

Our Vision

At the infrastructure level: We are building the missing compliance layer between AI-powered applications and LLM providers — a sovereign routing protocol that makes GDPR violations technically impossible. Your users' data stays in Europe. Automatically. No manual review. No code rewrite.

At the business level: We are creating a world where startups in regulated sectors (healthtech, fintech, legaltech) can use any AI model without fear of non-compliance. One integration, automatic PII detection, forced EU routing, and a compliance report your DPO can hand to the regulator.

From startups handling medical records to fintech platforms processing IBAN numbers, mh-gdpr-ai.eu makes sovereign AI the default.

MVP Demo (Local)

This is the working MVP running locally. The design is not final — the goal here is to prove the core technology works. Every feature below is functional right now.

Why this matters

Every time you call openai.chat.completions.create() with a European user's name in the prompt, you're potentially violating GDPR Article 44 (international data transfers). Most teams either ignore it, route everything to EU (expensive), or anonymize all data (breaks context).

mh-gdpr-ai.eu solves this. Here's what the MVP already does:

  • Dual-layer PII detection — Microsoft Presidio (NLP) + regex fallback run on every request. 15+ entity types detected: names, emails, phone numbers, IBANs, credit cards, SSNs, and more.
  • Sovereign routing engine — PII detected = EU-only servers (Scaleway, OVHcloud). No PII = cheapest provider. The EU-forcing cannot be bypassed via API.
  • PII masking — Type-specific redaction with placeholders ([EMAIL_REDACTED], [IBAN_REDACTED]). Mask before logging, before storage, before anything.
  • Compliance audit on every request — Every response includes a compliance_summary object: what PII was found, which provider was used, which region, whether EU was forced. Ready for your DPO.
  • Multi-provider support — Scaleway, OVHcloud, Together AI, OpenAI, Mistral, DeepSeek, Groq, Fireworks. 24 models across 9 families.
  • Works without any API key — PII detection, routing decisions, and masking work immediately after pip install. No signup needed.

MVP Screenshots

PII Detection & Sovereign Routing

 PII Masking & GDPR Compliance Proof

Screenshots are from the local development environment. The production managed service with real-time dashboard is coming soon at mh-gdpr-ai.eu.

Live Demo

mh-gdpr-ai.eu — Live demo will be available here after deployment.

Quick Start

Requires: Python 3.10+ and pip.

from sovereign_gateway import SovereignGateway

gateway = SovereignGateway()
result = gateway.route([{"role": "user", "content": "Analyze the account of jean.dupont@company.fr"}])

print(result.pii_detected)       # True
print(result.pii_types)          # ['EMAIL_ADDRESS']
print(result.forced_eu_routing)  # True — this request MUST stay in EU
print(result.gdpr_compliant)     # True

Want to call a real LLM? Add a provider API key — see docs/quickstart.md for details.

Features

Feature Status
Dual-layer PII detection (Presidio NLP + regex)
15+ PII entity types (PERSON, EMAIL, PHONE, IBAN, SSN...)
Sovereign routing engine (PII = EU only)
PII masking with type-specific placeholders
Compliance audit summaries on every request
End-to-end LLM calls with automatic EU routing
Multi-provider support (8 providers)
24 models across 9 families
PyPI package published
CI/CD with automated PyPI publish
Works without API key (detection + routing)
FastAPI integration example
Python SDK (OpenAI-compatible)
TypeScript SDK
Docker support
Semantic cache integration Coming soon
Real-time savings dashboard Coming soon
GDPR compliance report generation (PDF) Coming soon
Managed service (zero infra for clients) Coming soon

Security

  • All PII detection runs locally — no data sent to external services
  • Dual-layer detection: if Presidio misses it, regex catches it
  • EU routing cannot be bypassed via API when PII is detected
  • Zero PII in logs — only types and counts are recorded
  • TLS 1.3 in transit, AES-256 at rest
  • JWT auth with short-lived tokens (15min)
  • Security headers on every response (CSP, HSTS, X-Frame-Options)
  • Rate limiting on all public endpoints
  • CORS with explicit origins only
  • No secrets in code (environment variables only)
  • Docker: non-root, read-only filesystem

See SECURITY.md for our full security policy.

Contributing

Contributions are welcome! See CONTRIBUTING.md for guidelines.

License

Apache 2.0 — See LICENSE.

Star History

Star History Chart

Made by Mahadillah

Your users' data belongs in Europe. Not on a US server. Not anywhere else.