GDPR Data Flow for AI Code Review

Step 1: classify code sensitivity

Tag repositories by data sensitivity before any automation. Keep highly sensitive code in stricter review paths (local model or restricted VPC).

Step 2: map processing locations

• Developer machine (VibeRails app + local repo)
• CLI backend used for inference routing
• Model endpoint (cloud API or local/private endpoint)
• Artifact storage for review exports

Keep this map in your privacy documentation and update it whenever backend routing changes.

Step 3: choose deployment mode by risk

• Standard: approved provider APIs for lower-risk repos.
• Restricted: private VPC endpoint with controlled egress.
• Local: local model runtime on managed hardware.

Step 4: operational controls

• Per-repo policy on allowed model endpoints.
• Human approval before fix execution.
• Retention policy for exports and logs.
• Quarterly review of data-flow map.

Related pages

• Data flow and privacy reference
• Local AI code review
• Air-gapped code review