woensdag 16 april 2025

Coders without borders

Andy Haxby
Artificial Intelligence
Creating the hangar of the future at KLM

Test. Since its introduction in 2018, GDPR has completely upturned the data collection field and needlessly forced a lot of respectable companies out of business. At Radiant, we've built our reputation on evading the reach of privacy regulators, and so we thought it's about time we shared our strategies with the broader community.

Generally, we employ three main techniques:

  • Jurisdiction avoidance. Using service providers and shell companies to avoid being classified as operating in Europe.
  • Data replication. Storing de-anonymized data in replica databases that are completely obscured to anyone outside the company.
  • Deceit and obfuscation. Lying to regulators and customers about our compliance and employing a Data Protection Officer who is technically 'fictitious.'

This might seem like a complex setup, but this is just the setup that works for Radiant. It's important to remember to use a strategy that works for your situation and scale — picking and choosing the aspects that seem the most appropriate.

Jurisdiction avoidance.

Avoiding actually ever doing business in Europe is the easiest way to skirt the regulations, but how do you continue selling to European customers? Well, at Radiant, we use a data storage company called Sly Data that is in charge of managing all of our European user data. Technically, we license our data from Sly and offload all our storage to them. This is important in shielding us from liability and obscuring any ownership.

Sly is incorporated in Europe and is subject to GDPR, but they offer a man-in-the-middle API that allows us to intercept traffic heading to their servers bbefore it is anonymised. We then siphon that data off into a series of shell companies and onion routers before it ends up in our data storage.

The genius of this approach is that we avoid any responsibility for storing European customer data, and when authorities look into Sly, everything seems compliant.

Data replication

It's important that if regulators ever do come sniffing, Radiant seems compliant with policies like data minimization and pseudonymisation. We already touched on some of our data replication techniques above, but we take the extra step to store replicas of our databases that completely comply with the regulations. This data is transformed in the following ways:

  1. Delete metadata columns that store information like Driver's License, Passport Numbers, and Personal Identification Numbers.

  2. Tokenise or anonymise identifying fields like names and addresses.
  3. Revise `createdAt` and `updatedAt` fields down to the millisecond so there is no discrepancy.


Our master databases have references to all the anonymized rows in the replicas, but not the other way around. This means that if we get a request to delete some information, we can delete it from the replicas and appear perfectly compliant while maintaining our original records.


Once again, our master databases are obscured by a complex onion routing system that only we have the map for. We have an emergency plan to burn down the server room where this is stored in the worst-case scenario.

Back to knowledge centre
Competa IT