Trust, privacy, and compliance
Configuring for GDPR, DORA, the EU AI Act, and sector rules
Configuring Unless for GDPR, DORA, the EU AI Act, and sector-specific rules ensures your AI-powered customer success platform operates compliantly within regulated European environments. Unless is designed with compliance-by-design principles, embedding legal and regulatory requirements into its architecture rather than as add-ons. This article explains how Unless supports these frameworks and how you can configure the platform to meet your organization’s obligations.
compliance-by-design architecture
Unless is built from the ground up to comply with key European regulations including:
- GDPR (General Data Protection Regulation) for personal data protection and privacy.
- DORA (Digital Operational Resilience Act) for operational resilience in financial services.
- EU AI Act (Regulation (EU) 2024/1689) for AI system transparency, risk management, and human oversight.
- ISO 42001 for AI management systems.
- Sector-specific rules for entities supervised by BaFin (Germany) and AFM (Netherlands).
This compliance is woven into the platform’s core pillars:
- Data sovereignty: All personal data is hosted within EU cloud regions (AWS Ireland, Azure, Google Cloud EU). No personal data leaves the EU/EEA.
- Privacy Vault: Sensitive identifiers are tokenized at the gateway before reaching AI models, ensuring no raw personal data is exposed to model providers.
- Auditability: Every AI interaction and configuration change generates a per-decision and system audit trail, exportable for regulatory review.
- Real-time guardrails: Configurable controls prevent the AI from exceeding boundaries you set, supporting transparency and risk mitigation.
- Sector readiness: Pre-configured guardrails and workflows for finance, healthcare, HR, and payroll sectors, aligned with supervisory requirements.
configuring compliance controls in the dashboard
The Unless dashboard provides a dedicated Compliance tab where legal, DPO, and security teams can manage and demonstrate compliance without engineering involvement. Key configurable elements include:
- PII filters and tokenization rules: Define which personal data fields the AI can access or must mask.
- Role-based access controls: Assign permissions aligned with ISO 27001 principles to restrict data and feature access by user role.
- Audit log retention: Set retention periods for security-relevant logs, typically one year, to meet regulatory requirements.
- Transparency settings: Enable end-user disclosures that they are interacting with AI, and mark AI-generated content as required by the EU AI Act.
- Human oversight workflows: Configure approval and override processes to ensure meaningful human control over AI outputs.
- Risk classification and reporting: View and export AI system risk classifications and transparency reports for audits.
meeting deployer obligations under the EU AI Act
Unless acts as the provider of the AI system, while your organization is the deployer responsible for how the AI is used. To comply with Article 26 of the EU AI Act, you should:
- Use the Services according to their instructions.
- Assign competent personnel for human oversight.
- Ensure input data is relevant and representative.
- Monitor AI operation and report risks or incidents.
- Retain logs as required.
- Inform workers before deploying high-risk AI systems.
- Conduct a Fundamental Rights Impact Assessment if applicable.
Unless supports these obligations by providing:
- Technical documentation and model cards on request.
- Automatic logging and audit trails accessible via the dashboard.
- Notification of serious incidents without undue delay.
- Tools to configure transparency and human oversight.
supporting GDPR and DORA compliance
Unless’s architecture and operational practices also support GDPR and DORA compliance by:
- Hosting all personal data within the EU/EEA.
- Encrypting data in transit and at rest.
- Filtering and masking personal data before AI processing.
- Providing data subject rights management tools through the dashboard.
- Maintaining an information security management system modeled on ISO 27001 and ISO 27002:2022.
- Offering liability insurance aligned with contractual caps.
- Enabling audit log exports and incident response aligned with regulatory timelines.
sector-specific readiness
For regulated sectors such as finance, healthcare, and HR, Unless offers:
- Configurable guardrails tailored to BaFin and AFM supervisory requirements.
- Independent content silos ensuring one customer’s data does not train another’s AI.
- Pre-built compliance workflows to reduce the burden of sector-specific audits.
summary
Configuring Unless for GDPR, DORA, the EU AI Act, and sector rules involves leveraging the platform’s built-in compliance features and controls. The compliance-by-design architecture, combined with dashboard configurability, audit trails, and provider support, enables your organization to meet regulatory obligations confidently. You remain in control of data access, AI behavior, and transparency, while benefiting from a platform designed specifically for regulated European businesses.
For detailed technical documentation, risk classifications, and assistance with your compliance assessments, you can request support from Unless through your account or contact their Data Protection Officer at dpo@unless.com.