The latest articles on DEV Community by Ijaz (@ijaz18). https://dev.to/ijaz18 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3806095%2F11ecd980-cd46-4719-b2b6-812e2b7c1dbe.png https://dev.to/ijaz18 en Ijaz Fri, 24 Apr 2026 09:23:42 +0000 https://dev.to/ijaz18/your-rag-pipeline-is-leaking-customer-data-into-vector-embeddings-37m8 https://dev.to/ijaz18/your-rag-pipeline-is-leaking-customer-data-into-vector-embeddings-37m8 <p>"If you embed a chunk that says ""Sarah Mitchell called about her order to 14 Beechwood Avenue, Manchester,"" the embedding captures the semantics of that entire passage. The vector database now contains a representation derived from a customer's personal data. And more importantly, the text chunks stored as metadata contain the original PII in plain text.</p> <p>Three specific risks:</p> <ol> <li><p>Cross-user data leakage: Agent A queries the system, retriever pulls chunks from Agent B's tickets containing Agent B's customers' details.</p></li> <li><p>Right to erasure: Customer exercises GDPR Article 17. Their data is fragmented across thousands of embeddings. Identifying and removing specific embeddings that encode their PII is extremely difficult.</p></li> <li><p>Vendor exposure: If your vector DB is hosted (Pinecone, Weaviate Cloud), PII is in another third party's infrastructure.</p></li> </ol> <p>The fix: sanitise before embedding. Strip PII from chunks before generating embeddings. The semantic meaning is preserved. Retrieval still works on ""customer called about delivery issue."" The personal identifiers are gone.</p> <p>curl -X POST <a href="https://api.comply-tech.co.uk/api/v1/anonymise" rel="noopener noreferrer">https://api.comply-tech.co.uk/api/v1/anonymise</a> \<br> -H ""X-Api-Key: demo-key-complytech"" \<br> -H ""Content-Type: application/json"" \<br> -d '{""content"":""Customer Sarah Mitchell (<a href="mailto:sarah@gmail.com">sarah@gmail.com</a>) called about delayed delivery to 14 Beechwood Ave, Manchester"",""contentType"":""text"",""strategy"":""Redact"",""frameworks"":[""GDPR""]}'</p> <p>We tested this. Retrieval quality is unaffected because semantic search matches on the problem described, not the customer's name."</p> rag ai api data Ijaz Sun, 05 Apr 2026 15:02:12 +0000 https://dev.to/ijaz18/how-to-build-an-internal-ai-tool-without-your-compliance-team-blocking-it-cah https://dev.to/ijaz18/how-to-build-an-internal-ai-tool-without-your-compliance-team-blocking-it-cah <p>Three AI feature projects at three companies, all blocked by compliance. Here's the architectural pattern that gets AI tools approved, plus a practical checklist for making it happen.</p> <p>Read the full article here: <a href="https://comply-tech.co.uk/blog/internal-ai-tool-compliance" rel="noopener noreferrer">https://comply-tech.co.uk/blog/internal-ai-tool-compliance</a></p> Ijaz Wed, 01 Apr 2026 15:32:36 +0000 https://dev.to/ijaz18/the-eu-ai-act-starts-enforcement-in-august-2026-heres-what-that-means-for-your-llm-pipeline-2911 https://dev.to/ijaz18/the-eu-ai-act-starts-enforcement-in-august-2026-heres-what-that-means-for-your-llm-pipeline-2911 <p>The EU AI Act enforcement starts in August 2026. Here's what the provisions actually mean for engineering teams building with LLM APIs, and what you can do about it with a simple pipeline change.</p> <p><a href="https://comply-tech.co.uk/blog/eu-ai-act-2026-llm-pipeline" rel="noopener noreferrer">Blog article</a></p> ai api Ijaz Wed, 04 Mar 2026 15:37:07 +0000 https://dev.to/ijaz18/one-api-call-to-make-any-data-gdprhipaaccpa-compliant-from-zero-to-compliant-in-10-minutes-not-f0h https://dev.to/ijaz18/one-api-call-to-make-any-data-gdprhipaaccpa-compliant-from-zero-to-compliant-in-10-minutes-not-f0h <p>Over the past few years, I kept seeing the same pattern inside growing tech teams. A GDPR deletion request comes in or an enterprise customer asks for proof of erasure or legal wants confirmation that data is gone everywhere and suddenly it’s not simple anymore. </p> <p>Someone writes a script. <br> Another team checks a different service. <br> Analytics gets queried manually. <br> Logs and backups become “we’ll deal with that later.” <br> Technically compliant? Probably. Operationally clean? Not really.</p> <p>That friction is what inspired me to start building ComplyTech. Most compliance tools focus on dashboards and policy tracking. But the hardest part isn’t policy — it’s execution. In modern systems, PII lives across microservices, warehouses, third-party tools, logs; deleting a user isn’t a database command anymore. It’s orchestration. So instead of building another compliance dashboard, I’m building an API layer that lets engineering teams programmatically coordinate PII deletion and generate audit proof without stitching together custom scripts every time. </p> <p>The biggest shift for me during this process was realising this isn’t a UI problem. It’s infrastructure. Still early days, but the conversations with CTOs and platform engineers have been eye-opening. The real pain isn’t regulation — it’s complexity and fragmentation. If you’re running distributed systems and have thoughts on how your team handles deletion or audit proof today, I’d genuinely love to hear about it.</p> <p>Or take a look at my site and check out the demo, if this interests you, you know what to do! - <a href="https://comply-tech.co.uk" rel="noopener noreferrer">https://comply-tech.co.uk</a></p> puppet data productivity api