Multi-user architecture with UUID-only graph data
GDPR-Compliant Architecture
This demo shows an example of how a privacy-preserving pattern could be implemented for GraphRAG systems handling personal data in a GDPR-compliant way.
Supabase (EU)
Personally Identifiable Information (PII) Storage Layer
- User names & emails
- Company names
- Subscription data
- EU-hosted PostgreSQL
Neo4j Graph
UUID-Only Knowledge Graph
- User UUIDs only
- Relationships
- Contract metadata
- No Personally Identifiable Information stored
Backend Layer
Resolution & Authorization
- UUID → Name mapping
- Access control
- Query orchestration
- GDPR compliance
Query Flow
User Query
User submits a natural language query
Neo4j (UUID-only)
Graph database processes query using only UUIDs, no Personally Identifiable Information
OpenAI (No Personally Identifiable Information)
LLM processes anonymized data, ensuring GDPR compliance
Resolve (Supabase)
UUIDs are resolved to user-friendly names via EU-hosted database
User sees Results
Final results displayed with resolved names and context
Why This Pattern?
GDPR Compliant
Personally Identifiable Information never sent to external LLM APIs. Data residency in EU.
Right to Deletion
User deletes account → Supabase removes Personally Identifiable Information, graph stays anonymous.
Audit Trail
Graph relationships remain for analytics without exposing identities.
Scalable
UUID-based architecture enables efficient multi-tenant systems.