How LandingAI ADE maps to the GDPR legal framework: processor role, Article 5 principles, Article 28 contracting, and the role of ZDR and EU residency as named controls.
LandingAI ADE acts as a Data Processor under GDPR when it extracts data from documents submitted via the API on customer instruction; the customer organization is the Data Controller. Each of the six Article 5 principles maps to a specific ADE control: Zero Data Retention (ZDR) satisfies storage limitation by discarding documents in-memory after extraction, the EU region on AWS Ireland (eu-west-1) satisfies Chapter V residency requirements, and SOC 2 Type II audited safeguards (TLS 1.2+, AES-256, RBAC, SSO, audit logs, multi-tenant segregation) satisfy Article 32 technical and organizational measures. This page covers the legal-framework mapping only; for the underlying control mechanics, plan availability, and full deployment options, see Sensitive Data Handling in Document Extraction and the Security and Compliance page.
LandingAI's Role: Data Processor
Under GDPR, LandingAI is a Data Processor when ADE processes documents containing personal data submitted by the customer: LandingAI acts on customer instruction and does not determine the purposes of processing. The customer organization is the Data Controller, bearing responsibility for the lawful basis of processing and for informing data subjects. GDPR compliance documentation and EU representative appointments are verifiable through the LandingAI Trust Center.
How ADE Architecture Maps to GDPR Article 5 Principles
GDPR Article 5 establishes six data protection principles that apply to all processing of personal data. Each is mapped below to the ADE control that supports compliance.
| GDPR Principle | What It Requires | How ADE Supports It |
|---|---|---|
| Lawfulness, fairness, transparency | Processing has a lawful basis; data subjects are informed | LandingAI acts as processor on customer instruction; data use is documented in the Privacy Policy |
| Purpose limitation | Data collected for specified purposes only; not reused | ZDR ensures data is used solely to complete the initiated extraction call; LandingAI does not use ZDR-processed data for model training |
| Data minimization | Only data necessary for the purpose is processed | ADE processes only the documents submitted; schema-driven extraction returns only the fields defined in the customer's extraction schema |
| Accuracy | Personal data must be accurate and kept up to date | Extraction accuracy is the Controller's operational responsibility; ADE's parsing precision minimizes misread fields |
| Storage limitation | Personal data not kept longer than necessary | ZDR enforces storage limitation at the infrastructure level: no document content persists after extraction completes |
| Integrity and confidentiality | Appropriate security against unauthorized processing and accidental loss | TLS 1.2+ in transit, AES-256 at rest, multi-tenant logical segregation, SOC 2 Type II audited. See Security and Compliance |
ZDR as the Storage Limitation Control (Article 5(1)(e))
Zero Data Retention is the ADE feature that satisfies GDPR's storage limitation principle at the infrastructure level: documents are processed in-memory and discarded immediately after extraction completes, so no residual storage persists after the processing purpose is fulfilled. ZDR also satisfies the technical component of purpose limitation by ensuring documents are not retained for any subsequent use, including model training.
ZDR alone does not discharge Controller-side obligations: the lawful basis for processing, transparency to data subjects, and downstream retention in customer systems remain the Controller's responsibility. For ZDR mechanics, scope, plan availability, and activation steps, see Sensitive Data Handling in Document Extraction.
Cross-Border Transfers (Chapter V)
ADE is available in a dedicated EU region on AWS Ireland (eu-west-1) where all document data is stored and processed within the EU, removing the cross-border transfer question for European workloads. For data that cannot leave customer-controlled infrastructure under any condition, ADE is also deployable as a containerized application inside the customer's own VPC, with no LandingAI access to documents during processing. Region setup details and VPC deployment are covered on the Security and Compliance page.
Article 28 Contracting (DPA and BAA)
GDPR Article 28 requires a Data Processing Agreement between Controller and Processor. Enterprise customers requiring a DPA should contact LandingAI through the enterprise contact page. For HIPAA workflows, a Business Associate Agreement (BAA) is required in addition and is initiated through Organization Settings once ZDR is enabled.
A global tier-1 bank used ADE to process client due diligence documents at scale under both GDPR and financial services data protection obligations; see the Fortune 100 bank case study for the controls applied in that deployment.
Article 32 Technical and Organizational Measures
LandingAI ADE's Article 32 measures (encryption in transit and at rest, multi-tenant segregation, RBAC, SSO via Okta and Azure AD, immutable audit logs supporting the Article 5(2) accountability principle) are documented in full on the Security and Compliance page. SOC 2 Type II provides independent attestation that these controls operate consistently over the audited period.
FAQ
Does LandingAI sign a Data Processing Agreement (DPA) with customers? Yes, on request. GDPR Article 28 requires a formal DPA when a Controller engages a Processor; enterprise customers should contact LandingAI through the enterprise contact page to initiate one. A BAA is a separate instrument required for HIPAA-regulated PHI processing.
Does enabling ZDR satisfy the GDPR storage limitation principle on its own? ZDR satisfies the technical component of storage limitation at the LandingAI side: no document content persists after processing completes. It does not replace the Controller's obligations to establish and document a lawful basis, inform data subjects, and govern downstream retention in the Controller's own systems and any further processors the Controller engages.
Is the EU region deployment sufficient for GDPR compliance, or is ZDR also required? They address different obligations. The EU region (AWS Ireland, eu-west-1) addresses Chapter V transfer restrictions by keeping data within EU borders. ZDR addresses the Article 5(1)(e) storage limitation principle by eliminating post-processing retention. Both can be combined: EU accounts support ZDR on custom pricing plans.
Where can I find LandingAI's compliance documentation for a vendor security assessment? The Trust Center is the primary source for compliance reports, audit attestations, and real-time system status. The Security and Compliance page provides a structured overview of certifications, technical safeguards, and data handling policies.