The AI register your auditor will accept — before 2 August 2026.
NordClaw automatically inventories every AI tool your employees use, classifies the risk, and produces the Art. 12 evidence regulators will ask for. Deploys in a day. No PII data leaves the EU.
Combined exposure: up to €35M or 7% of global turnover under the AI Act and GDPR — applied in parallel, on the same incident.
Three EU AI Act questions every CISO must answer.
Most cannot answer one. By August 2026, regulators expect all three — in writing, with an audit trail.
>50% of EU organisations have no AI inventory. 40% of detected AI systems can't be cleanly classified.
- 01
What AI is being used?
ChatGPT, Claude, Copilot, embedded vendor AI, shadow API calls — the full inventory, not the part you know about.
- 02
By whom?
Which employee, in which department — tied to a real identity, not an anonymous API key.
- 03
With what data?
Which prompts contained personal, customer, financial or health data — and where it ended up.
| Tool | Team | User | Data class | Risk |
|---|---|---|---|---|
| ChatGPT | Legal | a.lindqvist | Contract draft | ● High |
| Claude | Finance | j.berg | Q3 forecast | ● High |
| Copilot | Engineering | m.haugen | Source code | ● Med |
| Gemini | HR | s.virtanen | CV screening | ● High |
| Perplexity | Marketing | k.olsen | Public research | ● Low |
One screen. Every AI interaction. Signed evidence.
- Answer the three questionsWho is using which LLM, with what data — auto-discovered from proxy traffic, not from a form anyone filled in.
- Art. 26(6) log in one clickImmutable Postgres on EU soil. Export the audit trail as signed PDF, CSV or JSON your regulator will accept.
- No code changeZero code changes — transparent OpenAI-compatible proxy. Your IT team reroutes traffic in minutes, every tool keeps working.
Five reasons every other approach falls short.
The EU AI Act and GDPR create obligations most AI tooling can't meet. These are the structural gaps — and how NordClaw closes them.
- 01
Preventive, not reactive
GDPR Article 17 — the right to erasure — is technically unenforceable once personal data enters an LLM. The EDPB confirmed this in its 2025 guidance. NordClaw keeps personal data out of the model entirely, so erasure becomes a database DELETE.
EDPB 2025 guidance · data subject rights in AI - 02
Your employees are already leaking data
49% of enterprise workers admit to using unapproved AI tools — the real number is higher. Every pasted ticket, contract or performance review is a transfer of personal data. NordClaw redacts at the API layer, so you get a barrier towards wrongdoing by colleagues.
Enterprise shadow-AI usage · 2024–2025 - 03
A DPA won't stop a CLOUD Act subpoena
The US CLOUD Act compels US providers to hand over data held anywhere — EU servers included. Contractual protections are unenforceable against a federal subpoena. If personal data never reaches US infrastructure, there is nothing to compel.
18 U.S.C. § 2713 · CLOUD Act, 2018 - 04
Covers shadow AI, not just sanctioned tools
Browser extensions and endpoint agents only protect the tools you've configured. NordClaw sits at the API layer — every LLM call, from sanctioned suites to a developer script or Make.com flow, passes through the same redaction.
Architecture · API-layer interception - 05
All 24 EU languages, EU-native entities
Most PII tools are English-first and degrade on German, French, Polish or Romanian. The NordClaw PII masking engine is tuned for EU formats: Personalausweis, NIR, BSN, personnummer, Steuer-ID and the rest.
NordClaw PII masking engine · EU entity recognisers
No code changes. Your SSO. EU-hosted from minute one.
- 01
Redirect
Zero code changes — simply reroute your AI traffic through NordClaw. 100% OpenAI-API compatible. Typical added latency under 50 ms.
- 02
Authenticate
Plug NordClaw into your existing SSO — Microsoft Entra ID or Google Workspace. Every prompt is now tied to a real person, department and role.
- 03
Govern
PII is redacted in Frankfurt before prompts leave the EU. Every interaction lands in an immutable Postgres log. The CISO opens the dashboard.
Ten pilot slots. Then we close the cohort.
Pilots go live before the 2 August 2026 deadline. Founding customers get direct input on v1.1 and v1.2 — and pricing locked at the pilot rate for 24 months.
- Founder pricing, locked for 24 months
- Direct line to the product team
- Input on the v1.1 risk-tier classifier
- Onboarding before the 2 Aug 2026 deadline
Pricing finalised with pilot customers. No public price list yet — by design.
v1 is deliberately small. The deadline is not.
- v1 · Q4 2026Automated AI registerDiscovery, classification, per-user Art. 12 evidence.
- v1.1 · Q1 2027Risk-tier classifierEvery system mapped to the AI Act's four risk tiers.
- v1.2 · Q2 2027GDPR cross-walkAI events joined to Art. 30 records of processing.
- laterPolicy enforcementBlock, redact, or approve at the browser and gateway layer.
Combined exposure up to €35M — or 7% of global turnover.
EU AI Act, Shadow AI & PII redaction — answered.
The questions every CISO, DPO and CPIO asks before a pilot. Short answers here — the full 77-question reference lives on a dedicated page.
See all 77 questions →Join the Q3 2026 EU AI Act pilot waiting list.
Drop your work email. We'll reach out personally as soon as we can with the EU AI Act compliance checklist.
- Checklist in your inbox — all 13 obligations mapped to articles
- Receive updates on the pilot
- Secure your route to be AI Act compliant
- Stored on EU infrastructure. No newsletter, no drip.
Not ready to join the pilot waiting list? Ask Signe a question first →
Signe will explain you the details
Signe knows the AI Act, GDPR, and NordClaw's roadmap inside out. Ask about your stack, your deadline, your risk tier — or whether a pilot makes sense.
No sign-up. The conversation stays in your browser until you refresh.
