Does LGPD prohibit the use of generative AI?

No. LGPD doesn't prohibit AI — it requires governance: explicit legal basis, anonymization, operation logging, and sensitive data protection. The issue is using ChatGPT/Claude/Gemini with confidential data, because you lose control over where the data's processed and how long it's retained.

What is Shadow AI and why is it an LGPD risk?

Shadow AI is unauthorized use of public AI (ChatGPT, Gemini, etc.) by employees pasting internal data without approval. Each paste is a potential leak: the data leaves Brazilian territory, is processed by foreign third parties, and may be used to train models. Under LGPD, it's processing without legal basis — liable for fines up to 2% of revenue.

How does MyDatAgent comply with LGPD?

MDA meets LGPD by design: 100% Brazilian hosting (Art. 33), explicit legal basis per agent (Art. 7), automatic PII anonymization in logs (Art. 12), immutable audit trail (Art. 37), and data subject rights API for access/correction/deletion (Art. 18). All controls come enabled — no additional configuration.

Do I need to conduct a DPIA (Impact Report) to use MDA?

Like any personal data processing by AI, yes — the DPIA is recommended. MDA's advantage is we provide a pre-filled DPIA template for our architecture, reducing DPO work from weeks to hours.

If ANPD requests an audit, how do I prove compliance?

MDA generates, on demand, a complete compliance report with immutable logs, legal basis mapping per use, anonymization evidence, and data custody chain. This package has already been accepted by ANPD in audits of MDA customers.

Doesn't Azure OpenAI in Brazil solve the problem?

Partially. Azure OpenAI hosts inference in Brazil, but usage metadata, error telemetry, and anti-abuse data go to Microsoft in the US — subject to the CLOUD Act. Plus, Microsoft retains data for up to 30 days for misuse analysis. MDA is 100% Brazilian, zero retention, no CLOUD Act.

LGPD · Sovereignty · Law 13.709/18

The hidden risk of generative AI lies in your data's jurisdiction

Public AI revolutionized business — but its business model is powered by your data. When your team uses ChatGPT, Claude, or Gemini, that information crosses borders and can benefit competitors.

LGPD demands control, transparency, and security. Public AIs offer black boxes in foreign jurisdictions. This gap is the biggest legal and corporate risk of the decade.

Download the dossier See the 4 conflicts

Art. 7Purpose

Art. 33Transfer

Art. 20Explanation

Art. 46Security

The clash · LGPD vs public LLMs

The 4 principles your public AI breaks every day

LGPD is founded on principles inherently broken by uncontrolled use of third-party LLMs. It's not opinion — it's in the law.

01 Art. 7 LGPD

Purpose & adequacy

LGPD mandates that data can only be processed for specific purposes. When an employee inserts customer data into a public LLM to "summarize a meeting", they're authorizing third parties to process it for their purpose (improving the model).

Verdict: violates adequacy principle · misuse by purpose.

02 Art. 33 LGPD

International transfer

Most major AI tech servers are in the US. Sending personal data to these APIs without robust contractual guarantees or explicit consent constitutes irregular transfer — liable to ANPD sanctions.

Verdict: ANPD sanction · nonexistent legal basis for operation.

03 Art. 6 & 20

Transparency & right to explanation

If an AI agent makes an automated decision about a customer — denying a discount, flagging as "churn risk" — LGPD guarantees the right to review. In black-box LLMs, it's impossible to trace reasoning.

Verdict: without observability, LGPD is violated — no auditable trail.

04 Art. 46 LGPD

Security & harm prevention

Shadow AI — employees using unauthorized AI at work — is the ultimate security breach. Your company loses possession and governance over where data sits and who has access.

Verdict: absence of governance · full accountability of controller.

Data sovereignty · Why location matters

Without infrastructure sovereignty, there's no business sovereignty

Sovereignty goes beyond LGPD. It's ensuring your data is subject exclusively to Brazilian law — not the law of the country where the server's hosted.

Foreign jurisdiction

United States

CLOUD Act · 2018

The reach your company doesn't control

The Clarifying Lawful Overseas Use of Data Act allows US intelligence agencies to demand access to data stored on US servers — even if your company is Brazilian and the data belongs to Brazilian citizens.

Implication

You can't build your company's house on land where the neighbor can change the lock anytime.

Sovereign jurisdiction

Brazil · sa-east-1

Law 13.709/18 · LGPD

Sovereignty physical & legal

MyDatAgent's inference infrastructure (vLLM, GPUs, databases) runs in Brazilian datacenters. Data doesn't cross borders. Jurisdiction is exclusively Brazilian — shielding your company from the CLOUD Act and meeting Art. 33 of LGPD.

Outcome

Brazilian law applied · auditable by ANPD · zero exposure to foreign court orders.

Without infrastructure sovereignty, there's no business sovereignty. What goes into your VPC stays in your VPC.

How MyDatAgent ensures compliance

LGPD is lines of code, not PDF

Our AI Ecosystem was architected from day one to be secure, auditable, and sovereign. We meet LGPD not through documents — but through network, proxy, model, and governance.

Pillar 01

Zero retention · zero training

Your data never trains foundational models. What processes in the VPC stays in the VPC — guaranteed by contractual DPA and technically via LiteLLM routing.

DPALiteLLM proxyAuditable logs

Pillar 02

Datacenters in Brazil

All inference (vLLM, GPUs, databases) in BR datacenters. Data doesn't cross borders — Brazilian jurisdiction shields from CLOUD Act and meets Art. 33 of LGPD.

sa-east-1Dedicated VPCTenant isolation

Pillar 03

PII masked in real-time

Before the prompt reaches the model, our proxy applies Microsoft Presidio + DLP. CPFs, CNPJs, names, and emails are automatically masked — agent works without exposing the data subject.

Presidio30+ entitiesPre-GPU

Pillar 04

Observability & explainability

Every request, MCP tool, and agent response is logged immutably. When ANPD or customers request explanations, you have the complete audit trail.

Immutable logsSIEM exportHash chain

Pillar 05

SSO + RBAC + per-user key

AI access treated like database access. Single Sign-On + granular RBAC + unique per-user key with quotas — eliminating corporate Shadow AI once and for all.

Okta · Azure ADSAML 2.0$ Quotas

Pillar 06

Right to be forgotten & retention

Clear retention time per data type + on-demand deletion endpoint. Ready to fulfill data subject requests within 15 business days.

Retention policyAPI deleteSLA 15d

Architecture · Data never leaks

From employee to model, with shields at every hop

Simplified diagram of a request flow. Each step applies a control — by the time the prompt reaches the model, it's already masked, authenticated, and logged.

01 · Entry

Employee · Agent · App

Request comes in authenticated via SSO, with traceable individual key. User quotas and rate limits applied before any other processing.

SSO · SAMLAPI KeyRBAC

02 · LiteLLM Proxy

PII masking + policy

The proxy intercepts. Presidio removes CPF, CNPJ, email. Guardrails check topic restriction. If clear, it goes to the model. If not, policy is returned — not the LLM.

PresidioLakeraAporiaLogs

03 · VPC sa-east-1

MDA LLM 2.1 · vLLM · GPU

MDA LLM 2.1 (32B MoE · 3.3B active · 256k context) processes the prompt already cleaned and authorized, on GPU inside your dedicated VPC in a Brazilian datacenter. Response passes through the same filters before returning to user.

VPC BRFP8 · vLLMEncryption-at-rest

When the model sees the prompt, it's already masked, authenticated, quotas applied, and logged. Raw data never reaches the model. The model never leaves Brazil.

MDA Dossier · free download

Don't risk your revenue over a prompt

Compliance requires more than tech — it requires clear process. We've created an in-depth dossier with the legal and technical framework to ensure your AI operation is 100% compliant with the law.

"Compliance is the best competitive advantage" — your company can show customers, auditors, and the board that AI is managed with bank-grade rigor.

For DPOs, Legal Directors, CIOs, and CISOs who need to unblock AI projects without exposing the company.

Download LGPD & AI dossier See quick checklist

Your Legal and your IT don't speak the same language about AI?

Aligning LGPD with AI requires interdisciplinary expertise. MDA Consulting acts as a bridge between Law and Data Engineering — we design the VPC, implement Guardrails (PII, observability), and deliver documentation for your DPO to sign.

Align my AI with LGPD

The company that teaches compliance, audits itself

SOC 2 Type IAICPA · Certified SOC 2 Type IIAICPA · Certified ISO/IEC 27001ISMS · Certified LGPD readyVPC sa-east-1