run.veric.dev
◆ Design partner previewCompliance Vault — sample data, real contracts.
Schedule a DP conversation →

Layout, contracts, and data shapes are real. The data shown is illustrative. Real customer data flows live with our first design partner.

Incident replay — counterfactual rendering.

T9 · audit-ledger · counterfactual

Replika — Italian DPA enforcement

Italy's GPDP issued an immediate-effect order banning Replika from processing Italian users' data, citing absent age-verification, no clear lawful basis, and reports of sexually explicit chat output to minors. Two later €5M fines (Apr 2025, May 2025) extended liability separately to deployment and to the underlying training run.

Verdict shape that would have refuted

Tier T6+T7
Flow contract
class:minor_user ∉ corpus.fine_tuning_inputs ∧ for_each(record where data_subject_jurisdiction=EU) → has_tag(lawful_basis) ∧ for_each(data_subject) ∃ erasure_pathway
Fixture that exercises this contract
/examples-ai/16-minor-pii-in-fine-tune/manifest.json

The 'assistant-fine-tune-v9' fixture demonstrates the minor-PII-exclusion contract on a fine-tune corpus — exactly the shape Replika needed and did not have.

Regulatory anchor
GDPR Art. 5(1)(c), Art. 6, Art. 17; Italy GPDP Provv. n. 9852506
Date the vault would have flagged
2022-09 — at fine-tune corpus assembly time

What broke instead

End-user-generated content flowed into both the deployed inference path and the fine-tuning corpus with no per-record minority check, no lawful-basis attestation, and no erasure pathway. The GPDP separated deployment-stage and training-stage violations — each needed its own contract; neither had one.

Public outcome · Italian processing ban from Feb 2023 (months of remediation), €10M total fines, plus the doctrinal cost of being the first 'training-stage processing requires its own lawful basis' enforcement.

Cross-references