How fast can I deploy an API?

Under a minute. Describe what you need, AI generates schema, deploy to production. No infrastructure setup, no DevOps, no configuration files.

Does the EU AI Act apply to my company?

If you process any data from EU citizens, yes—regardless of where your company is based. Same extraterritorial reach as GDPR.

How does Fabrx handle EU compliance automatically?

Every API includes: (1) Auto-classification (minimal/limited/high-risk), (2) PII detection, (3) Audit trails with 6+ month retention, (4) System Cards. Articles 9-19 covered. Zero extra work.

Can I use my own LLM provider?

Yes. BYOK support for 100+ providers: OpenAI, Anthropic, HuggingFace, Azure OpenAI. Switch anytime, zero code changes. Your keys, your costs.

How does this compare to building in-house?

Building in-house: 2-3 months dev time + ongoing maintenance. With Fabrx: production-ready APIs in under a minute. Built-in monitoring, compliance, and infrastructure. Predictable monthly cost vs unpredictable dev hours.

How does pricing work?

You pay for infrastructure hosting and compliance—NOT LLM costs (you bring your own keys). Plans scale by # of endpoints and data limits: Free (1 API, 500 MB), Starter ($39, 3 APIs, 1 GB), Pro ($99, 10 APIs, 3 GB), Growth ($399, 50 APIs, 16 GB), Enterprise (custom pricing).

What is intelligent document processing?

Intelligent document processing (IDP) uses AI and machine learning to automatically extract, classify, and process data from documents like invoices, receipts, contracts, and forms. Fabrx provides custom IDP APIs that guarantee consistent output schemas and include built-in compliance.

What document types can Fabrx process?

Fabrx can process any document type including invoices, receipts, contracts, purchase orders, bills of lading, insurance claims, medical records, identity documents, and custom forms. Each document type can have its own custom API endpoint with tailored extraction logic.

Compliance·12 min read

EU AI Act Compliant Document Data Extraction: What Builders Need Before August 2026 (and After)

The August 2026 EU AI Act enforcement deadline has made document extraction a compliance surface. Here is exactly what GDPR and EU AI Act Articles 10, 11, and 13 require of your extraction pipeline — and how to satisfy both frameworks at once without a compliance team.

On August 2, 2026, the EU AI Act's obligations for high-risk AI systems become fully enforceable. If your product extracts structured data from business documents — invoices, contracts, identity documents, lab reports, lease agreements — your extraction pipeline is almost certainly a compliance surface under both the EU AI Act and GDPR. The two regulations overlap in ways that are easy to misread, and most existing guidance addresses one or the other, not both at once.

This guide is written for builders: SaaS founders, product engineers, and automation architects who need their document extraction layer to be compliant from day one, not after a Series A or an enterprise customer's DPO blocks a deal.

Why Document Extraction Pipelines Are Now a Compliance Surface

Until recently, compliance teams focused on AI training data. EU AI Act commentary was dominated by discussions of Article 10's data governance requirements for training datasets. That framing missed something critical: inference-time document processing is equally within scope.

When your system receives an uploaded invoice, extracts 14 structured fields, and returns them via API, it has processed personal data. The employee name on an invoice, the VAT number linked to a sole trader, the patient reference on a lab result — these are all personal data under GDPR Article 4. The AI system that extracted them is processing that data as a data processor on behalf of your customers (the controllers). And if the system's output influences business decisions — payment approval, contract execution, insurance underwriting — the EU AI Act's high-risk classification may apply.

The August 2, 2026 deadline is not a future concern. It is now. Products shipping document extraction features today need compliant infrastructure in place, not retrofitted later. The enforcement window for national supervisory authorities opened on that date, and DPOs at enterprise customers are already asking whether your extraction vendor is audit-ready.

EU AI Act / GDPR: Document extraction systems processing personal data as part of business-decision workflows may qualify as high-risk AI under EU AI Act Annex III. All such systems must maintain technical documentation (Article 11), logs (Article 12), and transparency obligations (Article 13). GDPR Article 28 requires a Data Processing Agreement with any vendor that touches personal data on your behalf.

What EU AI Act Article 10 Actually Requires of Document Extraction

Article 10 is the provision most commonly cited in relation to EU AI Act compliance, but it is frequently misunderstood. The article governs data governance for training data — it requires that datasets used to train high-risk AI systems be relevant, representative, and free from bias. For a pre-built document extraction API, Article 10 obligations fall on the AI provider, not on you as the integrating builder.

What Article 10 does not cover — and what builders often miss — is the handling of personal data at inference time. That gap is filled by the intersection of GDPR Article 25 (data protection by design and by default) and EU AI Act Article 12 (record-keeping requirements for high-risk systems). Together they create an obligation to build extraction pipelines that:

Detect and handle PII before or during extraction, not as an afterthought
Maintain tamper-evident logs of what was extracted, from which source, and with what confidence
Document the schema and version of the AI configuration used for each extraction run
Ensure that data subjects can exercise rights of access (Article 15) and erasure (Article 17) against extracted records

The "technically feasible" standard in Article 10(3) — which allows providers to use personal data in training only where necessary and technically unavoidable — is a training-time carve-out. At inference time, the standard is stricter: personal data handling must be by design, not by exception.

EU AI Act / GDPR: Article 11 requires technical documentation covering the design, logic, and intended purpose of the AI system. Article 12 requires logs sufficient for post-hoc auditability. Both apply at the system level — meaning your extraction vendor's architecture and your integration of it are jointly assessed.

The GDPR + EU AI Act Double Compliance Problem (and the Efficiency Angle)

The common mistake is treating GDPR compliance and EU AI Act compliance as two separate workstreams. They share infrastructure. A well-designed extraction layer can satisfy both frameworks simultaneously, but only if the compliance features are built into the extraction API itself — not added as separate pre- and post-processing steps.

Consider the typical bolt-on approach: raw documents flow into an extraction API, the response is then passed through a separate PII scrubber, the scrubbed output is logged to a separate audit store, and GDPR deletion requests are handled by a separate data management system. Each handoff is a compliance gap. PII can appear in extraction responses before the scrubber runs. The audit log may not capture the pre-scrub state. Deletion requests may not propagate to all systems.

The efficient alternative — and the one that actually holds up under DPO scrutiny — is an extraction API that handles PII detection, audit logging, and field-level lineage as first-class features of the extraction response itself. One API call, one compliant output, one audit record.

Fabrx advantage: Fabrx's extraction API returns PII detection results, confidence scores, and field-level lineage in the same response as the extracted data. There is no separate scrubbing step, no secondary audit system to configure, and no gap between what was extracted and what was logged. Compliance is in the response shape, not bolted on around it.

This architecture also simplifies your Article 30 Records of Processing Activities (RoPA). Instead of mapping data flows across multiple vendor systems, you have one sub-processor relationship and one data flow to document.

What a Real Audit Trail for Document Extraction Looks Like

"We log everything" is not an audit trail. Compliance teams — and national supervisory authorities — will ask specific questions that a generic server log cannot answer:

Which document was processed, when, and by which version of the schema?
Which fields were extracted, with what confidence score, from which region of the document?
Was PII detected in the extracted fields, and how was it handled?
Has the log been modified since creation?
Can the audit record be exported for a regulatory inspection or a data subject access request?

A true audit trail for document extraction has four properties: field-level traceability (each extracted value is traceable to its source location in the document), confidence attribution (the model's confidence score per field is recorded alongside the value), schema versioning (the exact schema used for the extraction is versioned and logged), and immutability (the record cannot be altered after creation).

Schema versioning deserves particular attention. EU AI Act Article 11 requires technical documentation to cover changes to the AI system over time. If you update your extraction schema — adding a field, changing a field type, adjusting a prompt — that change must be documented. A versioned schema history is the Article 11 technical documentation for your extraction configuration.

Fabrx advantage: Fabrx maintains versioned schemas with full history. Every extraction run is linked to the exact schema version used. Audit logs are immutable, exportable, and include per-field confidence scores and source attribution. This satisfies EU AI Act Article 12 record-keeping requirements and supports GDPR Article 15 access requests without additional tooling.

PII Detection at the Extraction Layer: Why It Belongs in the API, Not a Separate Tool

The architecture question that most compliance guides avoid: where should PII detection happen?

The common pattern is a pre-processing step — run a PII scrubber over the document before sending it to the extraction API. This creates two problems. First, PII scrubbers applied to raw documents frequently damage the structured content needed for extraction. Redacting an invoice's "Bill To" section to remove a personal name may also remove the company name and address needed for accurate extraction. Second, pre-processing does not protect against PII that appears in unexpected places — a handwritten note in a margin, a personal reference number embedded in a field, a name embedded in a file reference string.

Post-processing PII detection — running a scrubber over the extraction output — is more reliable but introduces a gap: the raw extraction response containing PII was transmitted before scrubbing. If that response is logged, cached, or passed to a downstream system in a split second before scrubbing completes, the PII has escaped the controlled environment.

The correct architecture is detection at the extraction layer: the API detects PII as part of the extraction process and flags or masks it in the response before it leaves the system. The categories to cover include names, email addresses, phone numbers, national identification numbers, financial account identifiers, health-related identifiers, and IP addresses — the standard categories under GDPR Recital 75 and EU AI Act Annex III.

Fabrx advantage: PII detection is a built-in feature of the Fabrx extraction response, not a separate integration. Detected PII categories are returned alongside extracted fields, allowing your application to apply masking, routing, or retention rules at the point of first receipt. No separate PII scrubber to maintain, no gap between extraction and detection.

This is directly relevant to use cases like invoice data extraction (where employee names and personal account numbers appear), medical document processing (where patient identifiers are everywhere), and contract clause extraction (where signatory personal details are embedded in clause text).

BYOK: Why Data Sovereignty Starts with the AI Key, Not the Data Center

Most discussions of GDPR compliance for cloud AI tools focus on data residency: is the data processed within the EU? This is necessary but not sufficient. The deeper problem is the CLOUD Act.

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act) allows US authorities to compel US-headquartered companies to produce data held on foreign servers, including EU-hosted servers. The European Court of Justice's Schrems II ruling invalidated the EU-US Privacy Shield precisely because of this structural issue — US law creates access obligations that EU data protection law cannot block.

For a document extraction API, the relevant question is not just where the data is hosted, but who holds the AI provider API key used to process the document. In a standard architecture, the extraction vendor holds the AI provider credentials. The vendor's infrastructure processes the document using those credentials. The vendor — a US company, typically — has operational access to the document content, even if briefly and even if they operate a zero-retention policy. A zero-retention policy in a DPA does not change the structural access obligation under the CLOUD Act.

Bring Your Own Key (BYOK) changes this structure fundamentally. With BYOK, you provide your own AI provider API key. The extraction vendor's infrastructure orchestrates the extraction workflow, but the document content is processed using your key, against your AI provider account. The extraction vendor — Fabrx in this case — is architecturally excluded from the data access. They process the orchestration layer, not the document content.

EU AI Act / GDPR: GDPR Article 46 requires appropriate safeguards for transfers of personal data to third countries. BYOK, by removing the vendor's structural access to document content, reduces the transfer surface significantly. The document content flows between your infrastructure and your AI provider's infrastructure, under your key — not through a third-party vendor's access-capable systems.

Fabrx advantage: Fabrx supports BYOK on all plans. When BYOK is enabled, Fabrx never has access to the document content. The extraction orchestration — schema application, field mapping, audit logging — happens in Fabrx infrastructure, but the document is processed against your AI provider account. This is a structurally stronger GDPR and CLOUD Act mitigation than "EU-hosted zero-retention" because it removes even the theoretical access window.

For builders processing documents from EU data subjects — particularly in scanned document workflows or no-code document API pipelines — BYOK is the mechanism that makes your DPO's Transfer Impact Assessment (TIA) tractable.

Compliance on the Free Tier: Why This Matters for Builders

Enterprise compliance gating — where audit trails, BYOK, and PII detection are available only on paid plans above a certain tier — creates a structural problem for early-stage builders. A product that processes EU resident data is subject to GDPR from the first user, not from the first enterprise contract. The compliance obligation does not scale with revenue.

The practical consequence of compliance gating is that builders either ship non-compliant products while they grow (accruing regulatory risk), or they pay for enterprise plans they cannot afford in order to access the compliance features they need. Neither is a good outcome.

Fabrx includes audit trails, PII detection, BYOK, field-level lineage, and schema versioning on the free plan. This is not a minor pricing detail — it is an architectural commitment that compliance is a default property of the extraction API, not a premium add-on.

Fabrx advantage: Every plan, including the free tier, includes the full compliance feature set: audit trails, PII detection, BYOK, field-level data lineage, and schema versioning. Builders can ship compliant document extraction features before they have revenue, without waiting for an enterprise budget or a compliance team.

EU AI Act compliant document extraction — free plan, no enterprise budget needed.

Audit trails, PII detection, BYOK, and field-level lineage included on every plan.

Get started free →

The Compliance Checklist: What to Verify Before You Ship a Document Extraction Feature

This checklist is designed to be DPO-ready — the items map to specific regulatory obligations so you can reference the source when a compliance team asks. Run through it before you ship any feature that processes documents from EU data subjects.

Data Processing Agreement (Article 28 GDPR): Do you have a signed DPA with your document extraction vendor? Does it identify them as a sub-processor, specify processing purposes and retention limits, and include the standard contractual clauses (SCCs) for international transfers where applicable?
PII detection (Article 25 GDPR — data protection by design): Does your extraction pipeline detect and handle PII at the point of extraction, not in a separate downstream step?
Audit trail (Article 12 EU AI Act; Article 5(1)(f) GDPR — accountability): Can you produce a field-level extraction log for any document processed? Does the log include the document identifier, extraction timestamp, schema version, per-field confidence scores, and PII detection results?
Schema versioning (Article 11 EU AI Act — technical documentation): Is every extraction schema version recorded? Can you identify which schema version was used for any historical extraction run?
BYOK / data sovereignty (Article 46 GDPR; CLOUD Act mitigation): If you process documents containing EU personal data, does your extraction vendor support BYOK? Is it enabled?
Data residency: Where does your extraction vendor process and temporarily store document data? Is this within the EU or covered by an adequacy decision or SCCs?
Records of Processing Activities (Article 30 GDPR): Have you added your document extraction vendor to your RoPA as a sub-processor, with the processing purposes, data categories, and retention periods documented?
Right of access (Article 15 GDPR): If a data subject requests access to data extracted from their documents, can you produce the extracted fields and their source attribution? Is this exportable from your extraction vendor's audit log?
Right to erasure (Article 17 GDPR): If a data subject requests erasure, can you delete extracted field data and confirm deletion? Does your extraction vendor support deletion of associated audit records where legally permissible?
DPIA requirement check (Article 35 GDPR): Does your use case involve large-scale processing of sensitive categories of data (health, financial, identity)? If so, a Data Protection Impact Assessment is required before processing begins.
High-risk AI classification check (EU AI Act Annex III): Does your extraction use case fall into a high-risk category — biometrics, employment, credit scoring, critical infrastructure, essential services? If so, additional conformity assessment requirements apply.
Retention limits: Are document uploads and extraction results deleted after the minimum necessary retention period? Is this enforced automatically, not manually?

How Fabrx Handles Each Compliance Requirement by Default

The following maps Fabrx features to specific regulatory articles. This section is intended to support the technical component of a DPA negotiation or a vendor compliance questionnaire.

EU AI Act Article 10 (data governance): Fabrx uses AI foundation models from major providers under their own Article 10 compliance programs. When BYOK is enabled, Fabrx does not process document content through its own model infrastructure — you control the AI provider relationship and its associated Article 10 obligations.

EU AI Act Article 11 (technical documentation): Schema versioning in Fabrx creates a dated, immutable record of every schema configuration used for extraction. Each schema version is retained and linked to extraction runs, providing the configuration history that Article 11 requires.

EU AI Act Article 12 (record-keeping): Every extraction run generates an audit log entry containing the document identifier, timestamp, schema version, extracted fields, per-field confidence scores, and PII detection results. Logs are immutable and exportable via API.

EU AI Act Article 13 (transparency): Fabrx API responses include confidence scores and field-level source attribution, enabling downstream transparency to end users about the basis for extracted data.

GDPR Article 25 (data protection by design): PII detection is integrated into the extraction response. The API does not return extracted data without simultaneously returning PII detection results. There is no architecture in which extraction completes and PII detection has not run.

GDPR Article 28 (sub-processor obligations): Fabrx provides a standard DPA. The DPA identifies processing purposes, data categories, retention limits, and includes SCCs for EU-US transfers. Available on request or via the compliance documentation in the Fabrx dashboard.

GDPR Articles 15 and 17 (access and erasure): Field-level lineage in audit logs supports data subject access requests — you can export exactly what was extracted from which document. Deletion workflows propagate through extraction records.

GDPR Article 46 / CLOUD Act mitigation (BYOK): When BYOK is enabled, Fabrx's infrastructure never receives the document content in a form that Fabrx employees or infrastructure can access. The document is processed against the customer's AI provider account. Fabrx receives the structured extraction output only.

This compliance architecture applies across all Fabrx use cases — from invoice data extraction to medical document processing, legal contract extraction, and scanned document OCR pipelines. The compliance layer is not use-case specific — it is built into the API.

Frequently Asked Questions

Is Fabrx a data processor or data controller under GDPR?

Fabrx is a data processor when it processes documents containing personal data on your behalf. You (the Fabrx customer) are the data controller or, if you are building a product for end customers, a data processor yourself. The chain is: your end customer (controller) → you (processor) → Fabrx (sub-processor). GDPR Article 28 requires a DPA at each link in this chain.

Does BYOK fully satisfy the CLOUD Act risk?

BYOK significantly reduces the CLOUD Act risk by removing Fabrx's structural access to document content. However, "fully satisfy" depends on your AI provider's jurisdiction. If you use a US-based AI provider (OpenAI, Anthropic, Google) with BYOK, the document content is processed on that provider's infrastructure, which is subject to CLOUD Act jurisdiction. For maximum data sovereignty, combine BYOK with an EU-based AI provider. The key point is that with BYOK, Fabrx itself — as the extraction orchestration layer — is removed from the access surface.

What happens to documents after extraction?

Document uploads are retained for the minimum period necessary for extraction and audit purposes, then deleted per the retention schedule in the Fabrx DPA. Exact retention limits are configurable. Audit logs — which contain extracted field data, not the original document — are retained for the period specified in your plan and are deletable on request subject to applicable legal holds.

How do I get the DPA?

The Fabrx DPA is available in the compliance section of the dashboard or on request via the contact form. Enterprise customers can request a custom DPA review. The standard DPA includes Article 28 sub-processor terms, SCCs for EU-US transfers, and processing purpose limitations.

Is the audit log exportable for a regulatory inspection?

Yes. Audit logs are exportable via API in JSON format, queryable by document identifier, date range, schema version, and extraction result. The export format is designed to be human-readable for a regulatory inspection and machine-readable for ingestion into your own compliance tooling.

Does the EU AI Act apply to my use case?

The EU AI Act's high-risk classification under Annex III covers AI systems used in: employment and worker management; access to education; access to essential private services including credit and insurance; law enforcement; migration and border control; administration of justice. Document extraction that feeds decisions in any of these areas is likely in scope. For document extraction used purely for internal data entry automation (digitising invoices for accounting), the risk classification is lower, but GDPR obligations remain. When in doubt, consult your DPO and conduct a DPIA.

I'm using n8n or Make to build a document extraction workflow. Does this all apply to me?

Yes. The GDPR and EU AI Act obligations attach to the processing activity, not to the implementation method. An n8n workflow that routes documents through a non-compliant extraction API is a non-compliant pipeline regardless of the orchestration layer. The good news: Fabrx has a native no-code document API builder that makes it straightforward to build compliant extraction workflows without writing infrastructure code. The compliance features — audit trail, PII detection, BYOK — work identically whether you are calling the API directly or integrating through a no-code automation platform.

Developer10 min read

How to Build a Document Extraction API Without Writing a Single Line of Code (In Under 60 Seconds)

Turn any document — invoice, contract, receipt, medical record — into structured JSON through a live API endpoint, using plain English to define your schema. No developer required. EU AI Act compliant on the free plan.

Read article →

Finance11 min read

Invoice Data Extraction API: From PDF to Structured JSON in Under 60 Seconds — No Templates, No Training

Stop keying invoices by hand. Fabrx turns any PDF, scan, or image invoice into structured JSON via a live REST API — no template training, no model fine-tuning, EU AI Act compliant on the free plan.