今日已更新 69 条资讯 | 累计 20935 条内容
关于我们

Recently found a GDPR gap in our LLM traces

/u/CellFar9220 2026年06月09日 03:32 2 次阅读 来源:Reddit r/webdev

Alright, first, for context, we’re a small early-stage startup (3 engineers total) and we closed our first round of funding 3 months ago. Second, not a lawyer or a GDPR expert. Obviously, I know GDPR is something we’d need to comply with, but we were so focused on rolling out the product to our customers that signed LOIs that it was just never a main focus. Anyways, we were about 2 weeks away from rolling out the product with our first customer based in Germany and we were rigorously testing our platform to make sure there weren’t any major hiccups during our launch. For the most part things were solid, no major bugs (a few tickets in Linear for styling issues), and we were getting good responses. We had Sentry set up for error tracking and PostHog for analytics. For tracing, we're using Braintrust, and thankfully all the data there is being hosted in the EU, so we didn't have to worry about that. But I did notice an issue we had missed. We’ve been logging everything. I’m talking about all the inputs, outputs, and conversation history, which sounds fine and helped us with debugging and building out the product. But our logs also contained a ton of PII. Names users typed into prompts, email addresses that showed up in completions, the occasional address or phone number. It just never crossed our mind that this was user data storage (in retrospect, duh) andd we had zero controls in place. No retention policy, no documented deletion path, no way to respond to an access request. When I flagged it, our CTO was freaking pissed. He didn't want to delay the launch, but going live while logging all that PII was an instant no-go. Which I totally get, not just because of GDPR, but I also think that there was no real reason to hoard that much data in the first place. What we ended up doing was, I think, a clean fix by treating the eval platform itself as the control point. I.e. being intentional about what fields get captured, setting actual retention policies, and making sure

本文内容来源于互联网,版权归原作者所有
查看原文