GDPR compliance with Sonomos

The EU General Data Protection Regulation (GDPR) — formally Regulation (EU) 2016/679 — regulates the processing of personal data of EU and UK data subjects. AI tools have created a new class of unmonitored disclosure: a single paste into a chat assistant can transfer personal data to a third-country processor without any of the lawful-basis, transparency, or security controls GDPR requires. Sonomos is a technical safeguard that addresses this surface specifically.

A technical safeguard, not legal advice

This guide is informational. It describes how Sonomos products map to common GDPR obligations, but it’s not legal advice and it doesn’t replace your DPO, legal counsel, or a formal Data Protection Impact Assessment (DPIA). The browser extension is also still a prototype; for system-wide enterprise rollouts, plan for Sonomos Desktop once it’s available.

What’s at stake when staff use AI tools

GDPR personal data is anything that identifies — directly or indirectly — a natural person: names, emails, phone numbers, IP addresses, online identifiers, location data, health data, financial data, and more. Sending that data into a generative AI service typically triggers several articles at once:

• Article 5 principles: lawfulness, purpose limitation, data minimization, integrity & confidentiality.
• Article 6 lawful basis: is consent or legitimate interest actually established for this disclosure?
• Article 9 special-category data: health, biometric, racial, political, religious, trade union, sexual data — these have extra restrictions.
• Article 32 security of processing: pseudonymization / encryption are explicit examples.
• Articles 44–49 transfers to third countries: relevant when the AI provider processes outside the EU/UK.

Sonomos doesn’t make those decisions for you. It gives your staff a way to avoid the disclosure in the first place, which is the cleanest GDPR posture.

What Sonomos detects relevant to GDPR

Sonomos’s detector set covers the common categories of personal data and special-category data. From the Detector Reference:

• Identifiers — names, email, phone, IP addresses (v4 / v6), online identifiers (usernames), national IDs, passport numbers, driver’s licenses, tax IDs.
• Location — addresses, ZIP/postcodes, location references.
• Financial — credit card numbers (Luhn-validated), IBANs (MOD-97), SWIFT/BIC, routing numbers.
• Health (Article 9) — medical record numbers, health plan beneficiary identifiers, NPI, DEA.
• Digital identifiers — MAC addresses, VINs, URLs with embedded credentials.

The browser extension’s Cloak masking automatically rewrites these out of outgoing prompts on supported AI platforms; Send Guard warns or blocks on every other site.

How Sonomos supports each principle

Article 5(1)(c) — Data minimization

Cloak rewrites outgoing prompts so that only the data necessary to get a useful response actually reaches the AI service. Names, identifiers, and contact information get replaced with stable placeholders like [NAME_1] or [EMAIL]. The model can still reason about the content; the data subject is no longer identifiable to the processor.

Article 5(1)(f) — Integrity and confidentiality

By preventing the original personal data from leaving the device, Sonomos materially reduces the confidentiality risk associated with using AI tools. The data is never transmitted to Sonomos either — local-only processing is the default and the only mode.

Article 25 — Data protection by design and by default

The local-first, no-network architecture is a “by design” control. Cloak on by default + Send Guard on for everywhere else is a “by default” control your security team can pin via the Teams plan.

Article 32 — Security of processing

GDPR cites pseudonymization explicitly as an example of an appropriate security measure. Cloak’s placeholder substitution is pseudonymization at the point of disclosure. Compliance reports (Professional / Teams) document that this control was active during a given period.

Articles 44–49 — Transfers to third countries

The most common AI services are operated by US-based controllers. Sonomos cuts that transfer at the source: if personal data is masked before it leaves the browser, the third-country transfer never happens. This is materially stronger than relying solely on Standard Contractual Clauses or vendor BAAs, because the data simply isn’t sent.

Recommended configuration for GDPR

1. Enable Cloak on every supported AI platform. Today: Claude.ai, Gemini, Grok.
2. Set Send Guard to “Banner + Modal” as the minimum, organization-wide.
3. On the Teams plan, pin the minimum policy so staff can’t drop below it.
4. Schedule compliance reports to the DPO’s inbox at a regular cadence — these are the audit-trail evidence for Article 32 controls.
5. Document the residual risk. The extension is browser-only. Note in your records of processing activities (Article 30) that native AI clients, IDEs, and local LLMs are out of scope until Sonomos Desktop ships.
6. For special-category data (Article 9) — health, biometric, etc. — ensure Modal mode is in effect on every uncovered site so submission can’t happen without explicit acknowledgement.

Where Sonomos fits in your DPIA

A few elements you can directly cite when documenting a Data Protection Impact Assessment for staff AI use:

DPIA element	What Sonomos contributes
Nature, scope, context of processing	Compliance reports show categories detected and platforms scanned
Necessity & proportionality	Cloak’s pseudonymization reduces the minimum data required at the boundary
Risks to data subjects	Detection counts surface where exposure is concentrated
Measures to address risks	Automatic masking + Send Guard + Teams policy enforcement
Demonstrable effectiveness over time	Time-bounded compliance reports for the assessment period

Data processor / sub-processor status

Sonomos does not receive personal data through its products. Detection, masking, and reporting metadata are local. The only data Sonomos servers receive is:

• Account information and billing data (when you have a subscription).
• Aggregate detection counts (Teams plan only — categories and totals, never the underlying text).

For most customers this means Sonomos is not a processor of personal data in the GDPR sense for the protected content itself. If your DPO concludes otherwise for your specific deployment, contact info@sonomos.ai — we’re happy to walk through it.

Coming in Sonomos Desktop

Specifically for GDPR-driven rollouts, Sonomos Desktop adds:

• OS-wide coverage — native AI clients, IDE assistants, local LLMs, clipboard, and screenshots, all of which currently fall outside the extension’s scope.
• Tamper-evident audit log — append-only, signed event log suitable for evidence of effectiveness of Article 32 measures.
• Air-gapped / fully offline mode — useful when controllers operate in environments without cross-border traffic.
• SSO + SCIM + MDM — automated provisioning and managed deployment, which simplifies the Article 32 access-control story.

See the Sonomos Desktop overview and roadmap.

Next steps

HIPAA compliance The healthcare counterpart guide, including the 18 HIPAA-defined identifiers.

Teams setup Roll Sonomos out across a workforce with admin-enforced policies — the operational layer of GDPR Article 32.

Detector reference Full list of categories Sonomos detects, including the special-category identifiers.