Compliance

Built for regulated industries.

Piixie processes everything locally on your machine. No cloud uploads, no cross-border transfers, no third-party exposure. That single architectural decision simplifies compliance across every major regulatory framework.

100% local processing Data never leaves your machine
Zero cloud exposure No APIs, no uploads, no SaaS risk
8 frameworks covered GDPR, HIPAA, CCPA, SOC 2, and more
Audit-ready output Redaction logs for every run
Regulatory coverage

One tool, eight frameworks.

Because Piixie runs entirely on your device, data never enters a third-party environment. That single fact eliminates entire categories of compliance risk and simplifies the controls you need to maintain.

GDPR

EU General Data Protection Regulation

The GDPR requires organizations to protect personal data of EU residents through principles of lawfulness, fairness, transparency, and data minimization. Controllers and processors must demonstrate compliance at every stage of data handling, from collection through deletion. Key obligations include maintaining a lawful basis for processing, honoring data subject rights such as the right to erasure and data portability, implementing data protection by design and by default, and executing Data Processing Agreements with any third party that handles personal data.

How Piixie helps

  • Local processing means personal data never crosses organizational or national boundaries, eliminating the need for Standard Contractual Clauses or adequacy decisions for anonymization workflows.
  • Data minimization is enforced at the source: Piixie strips PII before data is shared with any downstream system, team, or AI model.
  • Anonymized output is no longer considered personal data under GDPR Recital 26, freeing it from further regulatory obligations.
  • No third-party processor is involved in the anonymization step, removing the requirement for a Data Processing Agreement for this operation.
  • Right to erasure is simplified because the original sensitive data stays on a single machine you control, never replicated to cloud storage or SaaS platforms.
  • Redaction audit logs provide evidence of data protection by design for supervisory authority reviews.

HIPAA

Health Insurance Portability and Accountability Act

HIPAA establishes national standards for protecting individually identifiable health information, known as Protected Health Information (PHI). Covered entities and their business associates must implement administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of PHI. The Privacy Rule mandates the minimum necessary standard, requiring that only the least amount of PHI needed for a given purpose is used or disclosed. Any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity must sign a Business Associate Agreement (BAA).

How Piixie helps

  • PHI stays entirely on your premises. Piixie never transmits health data to external servers, cloud APIs, or remote processing environments.
  • The minimum necessary standard is enforced automatically: Piixie detects and redacts PHI categories including patient names, MRNs, dates of birth, diagnoses, and provider identifiers.
  • No Business Associate Agreement is required for the anonymization step because no third party ever accesses the PHI.
  • De-identified data produced by Piixie can be shared for research, analytics, or AI training without triggering HIPAA disclosure rules.
  • Redaction before sharing with AI tools or LLMs prevents accidental PHI exposure in prompts or model training data.
  • Audit trails document exactly which PHI elements were detected and redacted, supporting compliance documentation for OCR audits.

CCPA / CPRA

California Consumer Privacy Act / California Privacy Rights Act

The CCPA, as amended by CPRA, grants California residents sweeping rights over their personal information: the right to know what data is collected, the right to delete it, the right to opt out of its sale or sharing, and the right to non-discrimination for exercising these rights. Businesses must disclose their data practices, honor consumer requests within prescribed timeframes, and implement reasonable security measures. CPRA expanded these protections with a new category of sensitive personal information and established the California Privacy Protection Agency for enforcement.

How Piixie helps

  • Anonymize personal information before it enters analytics pipelines, data warehouses, or shared datasets, reducing the scope of consumer data subject to CCPA/CPRA obligations.
  • No personal data is transmitted to third parties during anonymization, so Piixie does not constitute a "sale" or "sharing" of personal information under the statute.
  • Consumer deletion requests are easier to fulfill when sensitive data has been stripped at the point of ingestion rather than scattered across cloud services.
  • Sensitive personal information such as Social Security numbers, financial account details, and precise geolocation can be redacted before downstream use, satisfying the heightened CPRA protections.
  • Local processing avoids creating additional data inventories or processing records with third-party service providers.
  • Opt-out compliance is simplified because anonymized data falls outside the definition of personal information and is not subject to opt-out requirements.

SOC 2

Service Organization Controls

SOC 2 is an auditing framework developed by the AICPA that evaluates an organization's controls across five Trust Service Criteria: security, availability, processing integrity, confidentiality, and privacy. Organizations pursuing SOC 2 Type II attestation must demonstrate that their controls operate effectively over a sustained period. For companies handling sensitive customer data, SOC 2 is often a baseline requirement from enterprise clients and partners.

How Piixie helps

  • Confidentiality controls are inherently satisfied for anonymization workflows because sensitive data never leaves the local environment or enters a third-party system.
  • The local-first architecture eliminates an entire category of vendor risk that would otherwise require assessment, monitoring, and documentation in your SOC 2 report.
  • Processing integrity is demonstrable through deterministic, repeatable redaction with full audit logs showing what was detected and how it was handled.
  • Privacy criteria benefit from data minimization at source: personal information is stripped before it reaches systems covered by your SOC 2 boundary.
  • Security controls for data in transit are simplified because there is no transit. Piixie operates entirely within your workstation or server boundary.
  • Availability is unaffected by external dependencies. Piixie runs offline with no reliance on cloud APIs or internet connectivity.

ISO 27001

Information Security Management

ISO 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). It requires organizations to assess information security risks, apply appropriate controls from Annex A, and demonstrate ongoing compliance through internal audits and management reviews. Key control areas include access management, cryptography, operations security, communications security, and incident response. Certification signals to clients and regulators that an organization takes a systematic approach to protecting information assets.

How Piixie helps

  • Data stays within the organizational boundary you define in your ISMS scope, avoiding the complexity of extending controls to external processors or cloud environments.
  • Access controls are simplified to local file system permissions on the machine running Piixie, rather than managing IAM policies across cloud services.
  • Risk assessment for anonymization workflows shows minimal residual risk because sensitive data is never exposed to networks, APIs, or third parties.
  • Annex A controls for communications security (A.13) are inherently met since no sensitive data is transmitted over any network during processing.
  • Incident response scope is reduced: a breach of the anonymized output does not constitute a personal data breach because the output contains no identifiable information.
  • Audit evidence is straightforward to produce. Piixie's redaction logs document the control in action for every processed document.

EU AI Act

Artificial Intelligence Act

The EU AI Act is the first comprehensive legal framework for artificial intelligence, classifying AI systems by risk level and imposing requirements accordingly. High-risk AI systems face obligations around transparency, human oversight, data governance, accuracy, robustness, and cybersecurity. The Act mandates that training and validation datasets meet quality standards, that AI decisions are explainable, and that organizations maintain technical documentation demonstrating compliance. Even general-purpose AI models face transparency obligations when deployed in the EU market.

How Piixie helps

  • Local AI processing means your anonymization model runs on your own hardware, not through an opaque cloud API where you cannot inspect or govern the processing pipeline.
  • Human oversight is fully preserved: users review, approve, and adjust every redaction before output is finalized, maintaining human-in-the-loop control.
  • Data governance requirements are simplified when training data and operational data never leave your environment, giving you complete control over data quality and provenance.
  • Transparency is inherent in the design: Piixie shows exactly what was detected, what category it belongs to, and what action was taken, providing the explainability the Act requires.
  • No dependency on third-party AI services that may change models, terms, or processing locations without notice, avoiding supply-chain compliance gaps.
  • Technical documentation for regulators is straightforward because the entire processing pipeline is contained within a single, inspectable local application.

FERPA

Family Educational Rights and Privacy Act

FERPA protects the privacy of student education records and applies to all educational institutions that receive federal funding. Under FERPA, schools must obtain written consent from parents or eligible students before disclosing personally identifiable information from education records. Exceptions exist for directory information and legitimate educational interest, but the default is strong protection. Violations can result in the withdrawal of federal funding, making compliance a critical institutional priority for schools, colleges, and universities.

How Piixie helps

  • Student records are anonymized locally before being shared with researchers, analytics platforms, or AI tools, eliminating unauthorized disclosure of education records.
  • No student PII is transmitted to cloud services or third-party processors, preserving the institution's control over education records as FERPA requires.
  • Consent requirements are simplified when the shared output contains no personally identifiable information, as de-identified data may fall outside FERPA's scope.
  • Institutional research offices can analyze student outcomes and trends using anonymized datasets without requiring individual student consent for each study.
  • Piixie detects education-specific identifiers including student IDs, enrollment records, grade data, and disciplinary information for targeted redaction.
  • Audit logs demonstrate to accreditation bodies and the Department of Education that appropriate de-identification procedures were followed.

PCI DSS

Payment Card Industry Data Security Standard

PCI DSS is a set of security standards designed to ensure that all organizations that accept, process, store, or transmit credit card information maintain a secure environment. The standard includes twelve core requirements covering network security, access controls, encryption, vulnerability management, and monitoring. Cardholder data, including the primary account number (PAN), cardholder name, expiration date, and service code, must be protected wherever it is stored, processed, or transmitted. Non-compliance can result in fines, increased transaction fees, and loss of the ability to process card payments.

How Piixie helps

  • Credit card numbers, PANs, and financial PII are redacted locally before documents are shared, stored in secondary systems, or used in analytics.
  • Cardholder data never transits a network during the anonymization process, reducing the scope of your Cardholder Data Environment (CDE) and simplifying PCI DSS assessments.
  • Access control requirements are limited to the local workstation running Piixie, rather than extending to cloud environments, APIs, or third-party processors.
  • Piixie detects and masks card numbers, expiration dates, CVVs, and associated cardholder names across documents, spreadsheets, and unstructured text.
  • Redacted output can be safely shared with teams that do not need access to cardholder data, enforcing the need-to-know principle required by PCI DSS.
  • Processing logs provide audit evidence that cardholder data was properly handled, supporting your Self-Assessment Questionnaire or Report on Compliance.

Simplify your compliance posture today.

Start anonymizing locally in minutes. No cloud account required, no data processing agreements to negotiate.

Download Piixie