Our approach

A GDPR-aware agent design does not start with a model. It starts with data mapping, purpose limitation, access control and auditability.

Data minimisation

We help define which data an agent needs for a workflow and avoid unnecessary access to unrelated systems or records.

Purpose limitation

Each agent workflow should have a defined business purpose, approved data sources and clear boundaries for what the agent may do.

Access control

We design around role-based access, least privilege and scoped connectors so agents do not receive broad access by default.

Human review and audit logs

Sensitive actions should include human approval points. Logs should record retrievals, tool calls, outputs, outcomes and errors where appropriate.

Model-provider configuration

We review provider settings and contractual requirements for data handling, retention and use of client data. We do not use client project data to train shared AI models.

EU-hosted and private deployment options

EU-hosted, private server and hybrid deployment options are available where required by the project and data-protection requirements.

Client responsibilities

Nealphast helps clients design GDPR-aware systems, but each client remains responsible for confirming the lawful basis, internal policies and regulatory obligations that apply to its own data and workflows.

What is agreed in each project

Data-processing terms, infrastructure locations, model providers, retention periods, access roles, approval gates and service levels are defined in the relevant project agreement.