GLBA · GDPR · CCPA

What is the requirement?

The FTC Safeguards Rule (16 C.F.R. Part 314) requires financial institutions to implement a written information security programme that includes administrative, technical, and physical safeguards to protect customer Nonpublic Personal Information (NPI).

How Vaultex supports it

Vaultex prevents NPI from being transmitted to third-party LLM APIs in plaintext form. The gateway tokenizes all GLBA-relevant identifiers (name, SSN, account number, email, phone, date of birth) before they leave your network boundary. The append-only audit trail provides evidence of what data was processed, by whom, and when — directly relevant to Safeguards Rule documentation requirements.

Scope of support

Vaultex addresses the technical transmission control layer of Safeguards Rule compliance. An institution's full compliance programme must also address physical security, employee training, third-party service provider contracts, and periodic risk assessments. Vaultex does not replace those controls.

Article 25 — Data Protection by Design

GDPR Article 25 requires controllers to implement data-protection principles (including data minimization) at the design stage of any processing system. Vaultex's tokenization architecture embeds data minimization into the AI request pipeline — the LLM receives the minimum data necessary (tokens for identifiers, real values for analytics fields) to perform its function.

Article 28 — Processor obligations

When an external LLM provider (Anthropic, OpenAI) processes data on your behalf, GDPR Article 28 requires a data processing agreement. By tokenizing PII before it reaches those providers, Vaultex reduces the scope of data that is processed under such agreements — potentially excluding the interaction from Article 28 obligations entirely if the LLM cannot re-identify data subjects from tokens alone.

Our position

Whether tokenized prompts constitute 'personal data' under GDPR Article 4(1) depends on the likelihood of re-identification and the applicable legal context. This is a legal determination for your DPO and legal counsel, not a vendor claim.

Relevant obligations

The CCPA (as amended by CPRA) gives California consumers rights over personal information held by businesses, including the right to know, the right to delete, and the right to opt out of sale or sharing. It also imposes obligations on businesses to implement reasonable security procedures.

How Vaultex supports it

Vaultex's tokenization reduces the personal information footprint of AI processing by ensuring that LLM providers do not receive California consumers' personal information in a form that constitutes a 'sale' or 'share' under CCPA. The audit trail supports Data Subject Access Requests by logging what processing occurred and when.