AI compliance guide — GDPR, DSGVO, RGPD, LGPD, KVKK and Japan's tokutei-shoutorihiki

Every region has different rules for how a SaaS deploying LLMs in production must handle data. This guide is the practical playbook — what each regulator actually requires, what Kunavo provides under our DPA, and what you still need to do on your side. It's not legal advice (talk to a lawyer for that), but it's the operational checklist most engineering teams actually need.

The universal four — applies everywhere

1. Pseudonymize PII before sending to LLM upstreams — never send raw names, emails, phone numbers, account numbers to a third party. Mask with stable tokens, restore locally
2. Sign a DPA / data processing agreement with Kunavo (and inherit our DPAs with Anthropic, OpenAI, Google)
3. Maintain an audit trail — request ID, model used, prompt hash, token counts, timestamp. Logs must be deletable for right-to-erasure requests
4. Update your privacy policy — explicitly mention AI processing, list sub-processors (Kunavo + upstream providers)

Region-specific requirements

🇪🇺 European Union — GDPR (general)

• Article 28 DPA with Kunavo (template on request via sales@kunavo.com)
• Standard Contractual Clauses (SCC) for transfers to US-based upstreams (Anthropic, OpenAI) — bundled in our DPA
• Records of processing activities (Art. 30) including LLM-specific purposes
• Privacy by design — pseudonymization, data minimization, purpose limitation
• 72-hour breach notification timeline if a security incident affects EU subjects

🇩🇪 Germany — DSGVO + Impressum + TMG

Germany layers extra requirements on top of GDPR:

• Impressum (§ 5 TMG / § 18 MStV) — publish operator identity, address, contact, supervisory authority. Mandatory for German-targeted sites. Kunavo's template at /legal/impressum
• Stricter consent for "non-essential" data processing (Cookie consent, analytics)
• For B2B sales: USt-IdNr (VAT ID) collected via Stripe Tax, reverse-charge applies for intra-EU

DSGVO-konformer LLM-Einsatz has the German-language deep dive with PII-masking code.

🇫🇷 France — RGPD + AI souveraineté concerns

• RGPD is GDPR; same Article 28 DPA applies
• CNIL is the enforcement authority; expect closer scrutiny for health/finance
• For sensitive sectors (public, health, defense): consider EU-only routing — Mistral as upstream, on roadmap via Kunavo
• Privacy policy must be in French if servicing French consumers

Conformité RGPD pour LLM en France for the French deep dive.

🇯🇵 Japan — APPI + tokutei-shoutorihiki

• 特定商取引法 (Act on Specified Commercial Transactions): publish seller info, refund policy, payment methods. Mandatory for B2C in Japan. Kunavo's page at /legal/tokutei-shoutorihiki
• APPI (Personal Information Protection Act) — Japanese DPA via sales@kunavo.com
• Cross-border transfer to US/EU upstreams requires consent or contract

🇰🇷 South Korea — PIPA

• Korean Personal Information Protection Act — one of the strictest globally
• Explicit consent for collection and cross-border transfer
• Korean-language privacy notice if servicing Korean users

🇧🇷 Brazil — LGPD + BACEN for fintech

• LGPD (Lei Geral de Proteção de Dados) mirrors GDPR structurally
• For PIX / payment use cases, BACEN Circulars 4.018 + 3.978 on operational risk apply — document model decisions, allow contestation
• Direito ao esquecimento (Art. 17) — your logs must be deletable

Claude para análise de risco PIX no Brasil covers LGPD + BACEN specifically.

🇹🇷 Turkey — KVKK

• Personal Data Protection Law (KVKK) — DPA structure similar to GDPR
• Foreign data transfer requires explicit consent or KVKK-approved safeguards
• Data controller must register with KVKK if processing exceeds thresholds

Zero Data Retention (ZDR) — when you need it

By default, Anthropic logs prompts for 30 days, Google for 60 days, for abuse monitoring. For high-sensitivity workloads (health, financial, government, EU public sector), you can opt into ZDR:

• Anthropic ZDR: available via Kunavo Enterprise (~$3,000/month minimum). Anthropic deletes prompts within 30 seconds of completion, no upstream training, contractual commitment
• Google Vertex AI ZDR + EU region: routing to europe-west1 (Belgium) or europe-west4 (Netherlands), data stays in EU, ZDR available
• OpenAI ZDR: Enterprise tier only; negotiable through us

Email sales@kunavo.com with your requirements — we'll route you to the right upstream config.

What Kunavo provides vs what stays on your side

The 30-minute audit checklist

1. Sign DPA with Kunavo — emails sales@kunavo.com
2. Add PII pseudonymization step before every LLM call (template code in the region-specific deep dives)
3. Confirm your audit log captures request_id, prompt_hash, model, tokens, timestamp — and is deletable
4. Update privacy policy: list "Kunavo" + upstream providers as sub-processors, mention purposes (classification, generation, etc.)
5. Publish region-specific notices: Impressum (DE), tokutei-shoutorihiki (JP) — Kunavo provides templates at /legal
6. If sensitive sector: request ZDR for upstream
7. Set monthly review cadence — regulations evolve, vendors evolve, your audit log retention may need adjustment

Don't panic, but don't skip

For most B2C SaaS with no special-category data, the universal four + an updated privacy policy + Kunavo's DPA gets you 95% there. The remaining 5% — sector-specific notices, ZDR, sovereign upstreams — kicks in when you scale or move into regulated industries.