Skip to content

Compliance & Legal

Deploying a new enterprise security tool usually requires months of vendor risk assessments, security questionnaires, and legal negotiations. PII Eraser bypasses this friction by design.

Because PII Eraser is a self-hosted, air-gapped container deployed entirely within your own Virtual Private Cloud (VPC), your data never leaves your infrastructure. We do not host, store, transmit, or process your sensitive data. This fundamentally changes the legal and compliance requirements for using our software.

This page outlines how PII Eraser interacts with standard compliance frameworks and legal agreements.

Data Processing Agreements (GDPR, CCPA)

No DPA is required to use PII Eraser.

Under the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), a Data Processing Agreement (DPA) is only legally required between a Data Controller (your organization) and a Data Processor/Service Provider (a vendor who processes personal data on your behalf).

Because PII Eraser is provided as a software binary that you run on your own hardware, PII Eraser does not act as a Data Processor. We never receive or access your text or chat data, making a DPA legally unnecessary.

Business Associate Agreements (HIPAA)

No BAA is required to use PII Eraser in healthcare environments.

The Health Insurance Portability and Accountability Act (HIPAA) requires Covered Entities to sign a Business Associate Agreement (BAA) with vendors who create, receive, maintain, or transmit Protected Health Information (PHI) on their behalf.

Because PII Eraser runs entirely within your secure network and makes no outbound connections, it does not receive or transmit PHI to us. Therefore, PII Eraser is not a Business Associate under HIPAA guidelines.

SOC 2 and ISO 27001 Scoping

Traditional SaaS vendors are required to provide SOC 2 Type II or ISO 27001 reports to prove they are securely managing the data you entrust to them.

Because PII Eraser does not host or process your data, we fall entirely outside the scope of third-party data processing controls. Instead of reviewing our SOC 2 report, deploying PII Eraser actually accelerates your own compliance by neutralizing sensitive data before it touches external APIs (like OpenAI or Anthropic) or your internal logging systems. This drastically reduces the scope of your own SOC 2 Confidentiality and Privacy criteria.

Software Supply Chain Security

While we do not host your data, we recognize that your security team needs to validate the integrity of the software you bring into your network. We maintain a secure Software Development Life Cycle (SDLC) designed to pass strict enterprise vendor risk assessments:

  • Zero-CVE Target: The container is built on a Chainguard distroless base image, containing a minimal dependency tree. We target zero known vulnerabilities at build time.
  • Continuous Scanning: Every release is scanned using Trivy and Amazon Inspector.
  • Immutable Artifacts: PII Eraser is distributed as a strictly versioned container image.
  • Hardened Runtime: As detailed in our Security Guide, the container drops all Linux capabilities, runs as a non-root user, and enforces a read-only root filesystem.

Because data-sharing agreements (DPAs, BAAs) are unnecessary, procurement is greatly simplified. Using PII Eraser typically only requires:

  1. End User License Agreement (EULA): Governs the intellectual property, reverse-engineering restrictions, and acceptable use of the software binary.
  2. Support Agreement / SLA: For enterprise customers, this governs our guaranteed response times for technical issues, bugs, and container updates. See Support & SLAs for details.
  3. Marketplace Terms (Optional): If you procure PII Eraser through the AWS or Azure Cloud Marketplaces, standard marketplace licensing terms and billing structures apply, completely eliminating the need to onboard us as a new financial vendor.