Data protection & GDPR
niil is built for GDPR from the ground up: you can get your data out, have it truly erased, and see what happened to it.
Data export (Art. 15)
You can export your conversations — subject, titles, messages and documents — in a machine-readable form. Because niil holds the keys, the export is decrypted for you on request.
Erasure (Art. 17) with crypto-shred
Erasure deletes your conversations and knowledge bases and drops the per-conversation encryption keys, so the stored ciphertext becomes permanently unrecoverable. This is real deletion, not a soft flag — see Encryption. Organization operators can process export/erase requests through a dedicated data-subject request queue with an audit record.
You can find your data controls in your profile.
Data-loss prevention (DLP)
niil can scan chat input and model output for personal or sensitive data — email addresses, phone numbers, national IDs, credit-card numbers, IBANs, IP addresses and API keys. Depending on the configured mode it can:
- audit — detect and log matches (content unchanged), or
- redact — replace matches with
[REDACTED:TYPE]before the text is used.
DLP also covers agent tool inputs and outputs. Detections are recorded in the audit trail with the relevant compliance control tags.
Immutable audit trail
Significant actions are written to an append-only audit trail — who did what, to which resource, when — tagged with GDPR/SOC2/HIPAA control identifiers so compliance reviews have concrete evidence.
Tenant isolation
Every organization ("tenant") is strictly isolated: data and actions are tenant-scoped, and cross-tenant access is denied at the authorisation layer. In production, niil can additionally run on PostgreSQL with Row-Level Security, enforcing isolation at the database layer as defence-in-depth.
Retention & sub-processors
See Zero Data Retention for provider retention and Compliance & legal for the DPA, TOM and the sub-processor list.