Skip to content

Batch Job Operations, Privacy, and Compliance

Summary

Operating batch workloads safely: job submission, status, windows and discount rates, idempotency keys, retry and backoff strategies, plus the compliance frameworks (GDPR, HIPAA, SOC2), data residency, vendor data retention, opt-out of training, hashing of sensitive strings, anonymization, and audit trails that production deployments require.

Concepts Covered

This chapter covers the following 26 concepts from the learning graph:

  1. Batch Job Submission
  2. Batch Job Status
  3. Batch Window
  4. Batch Discount Rate
  5. Batch Versus Synchronous
  6. Throughput Optimization
  7. Latency Tolerance
  8. Job Queue
  9. Result Polling
  10. Webhook Notification
  11. Idempotency Key
  12. Retry Policy
  13. Backoff Strategy
  14. Sensitive Field Redaction
  15. Compliance Risk
  16. GDPR
  17. HIPAA
  18. SOC2 Audit
  19. Data Residency
  20. Vendor Data Retention
  21. Opt-Out Of Training
  22. Logging Privacy Risk
  23. Hashing Sensitive Strings
  24. Tokenized Identifier
  25. Audit Trail
  26. Anonymization Strategy

Prerequisites

This chapter builds on concepts from:

Operations: Batch and Compliance

Pemba waving welcome This chapter is the operations chapter — the things you have to do to ship LLM workloads safely in a regulated industry. Two big topics: running batch jobs robustly (the 50% discount you should be exploiting) and meeting the privacy and compliance requirements that govern what can hit the model at all. Cheap systems and compliant systems are the same systems — neither survives shortcuts.

Batch as a Cost Lever, Operationally

Chapter 3 introduced the batch versus synchronous decision and the batch discount rate (typically 50%). This chapter covers the operational details that make batch work in practice — the difference between "let's send everything to batch" and "we have a robust batch pipeline that handles failures, retries, and audit requirements."

Batch Job Submission and Status

Batch job submission is the API call that uploads a batch of requests to the vendor. The pattern is consistent across vendors:

  1. Construct a JSONL file where each line is a request payload (with all the parameters of a normal API call plus a per-line custom_id)
  2. Upload the file to the vendor (sometimes via a separate file-upload endpoint, sometimes inline)
  3. Submit a batch job referencing the uploaded file
  4. Receive a job ID

The batch job status is queried via a status endpoint that returns one of: pending (queued, not yet started), in_progress (running), completed (results available), failed (job-level failure — partial results may exist), expired (the batch window passed without completion). Status is what you poll or webhook against to know when results are ready.

The batch window is the maximum time within which the vendor commits to completing the job — typically 24 hours, sometimes 12 hours for premium tiers. The window is a soft commitment for non-priority batch; a hard commitment for some enterprise contracts. Plan for the upper bound, not the average.

Throughput Optimization and Latency Tolerance

Throughput optimization is the art of getting maximum batch processing per unit time within the vendor's batch quota. Practical levers:

  • Batch sizing — larger batches typically process faster per request than many small batches; aim for the vendor's recommended size (often 1,000–50,000 requests per batch)
  • Concurrent batches — most vendors allow multiple batches in flight simultaneously, up to a quota; for very large workloads, fan out into N concurrent batches rather than one huge one
  • Off-peak submission — batch jobs sometimes complete faster when submitted during low-demand windows (overnight in the vendor's primary region); not guaranteed but often helps

Latency tolerance is the property of a workload that determines whether it belongs on batch in the first place. The cleanest framing: if a 24-hour delay is acceptable, batch is the right path. If a 1-hour delay is acceptable, batch may still work (most jobs finish well under the window). If response is needed in seconds, batch is wrong; use synchronous or async (Chapter 3).

Job Queue, Result Polling, and Webhooks

A job queue is your application-side data structure that tracks submitted batch jobs from submission through completion. Even when the vendor handles the actual queuing, you need your own queue for tracking — what was submitted, what's still in flight, what completed, what failed and needs retry.

Result polling is the simplest way to check whether a batch is done — periodically call the status endpoint. Polling intervals should be exponential or backed-off; checking every second wastes API calls and contributes to your rate-limit budget. A reasonable default: poll every 5 minutes for the first hour, every 30 minutes after that.

Webhook notification is the better alternative when supported: the vendor calls a URL you provide when the batch completes, eliminating polling entirely. Webhooks require a publicly-reachable endpoint and signature verification (the vendor signs the payload; you verify before trusting it). Use webhooks for any batch workload of meaningful volume — they reduce both latency and operational overhead.

Idempotency, Retry, and Backoff

An idempotency key is a unique identifier you attach to a request such that the vendor recognizes a re-submitted identical request and returns the same result rather than processing twice. Idempotency keys are the safety net for retries — without them, a network blip during job submission can result in the same batch running twice.

A retry policy specifies when and how to re-submit a failed request. Standard patterns:

  • Retry on transient errors (5xx HTTP responses, timeouts, network errors) — the request didn't complete; safe to retry
  • Don't retry on permanent errors (4xx responses other than rate limits) — the request was rejected on its merits; retrying won't help
  • Retry rate-limit errors (429) with longer backoff — the vendor needs you to slow down

A backoff strategy is the delay schedule between retries. Exponential backoff (double the delay after each failure) is standard; add jitter (random variation) to prevent synchronized retry storms across many concurrent clients. A typical setting: initial delay 1 second, multiplier 2.0, max delay 60 seconds, jitter ±20%, max 5 attempts.

For batch specifically, the retry granularity matters: retry the whole batch (simple but wastes already-completed work) or retry only the failed sub-requests (more complex but more efficient on partial failures). Most vendors return per-request status in the result file, enabling per-request retry.

Diagram: Batch Job Lifecycle with Retry and Webhook

Batch Job Lifecycle with Retry and Webhook

Type: workflow sim-id: batch-job-lifecycle
Library: Mermaid
Status: Specified

Purpose: Show the full batch job lifecycle from submission through result download, including failure handling and webhook-based notification.

Bloom Level: Apply (L3) Bloom Verb: implement

Learning objective: Implement a robust batch pipeline including idempotency, retry, and webhook-based completion notification.

Visual style: State machine diagram with annotations

States: - Not Submitted (initial) - Pending (vendor accepted, queued) - In Progress (vendor processing) - Completed (results available) - Partial (some requests succeeded, some failed) - Failed (job-level failure, no results) - Expired (window passed without completion)

Transitions: - Submit (with idempotency_key) → Pending - Vendor schedules → In Progress - Vendor finishes → Completed | Partial | Failed - Window passes → Expired - Webhook fires from Completed/Partial/Failed - App downloads results, marks job done

Annotations: - "Retry sub-requests" arrow from Partial → "build new batch from failed only" - "Idempotency key prevents double-processing on retry" - "Webhook signature verified before trusting"

Interactive controls: - Click any state: see expected duration and what to do next - Toggle: "Use polling instead of webhook" — show the difference

Implementation: Mermaid state diagram, responsive layout

Compliance: The Frameworks You'll Encounter

Compliance is not a cost optimization. It's the constraint that determines what you're allowed to do — and the cost of getting it wrong (regulatory fines, breach disclosure, lost contracts) far exceeds any LLM bill. The major frameworks any production LLM team will encounter:

GDPR (General Data Protection Regulation) is the EU regulation governing personal data of EU residents. Key implications for LLM systems: you need a lawful basis to process any personal data (including in prompts), users have rights to access/correct/delete their data (which extends to derived data like embeddings), and cross-border data transfers require additional safeguards (Standard Contractual Clauses or equivalent). GDPR applies whenever EU residents' data is involved, regardless of where your servers are.

HIPAA (Health Insurance Portability and Accountability Act) is the US framework governing protected health information (PHI). LLM systems touching PHI need the vendor to be a HIPAA-eligible business associate (with a signed Business Associate Agreement), need PHI to never appear in non-HIPAA-eligible logs, and need audit trails that satisfy HIPAA's logging requirements. Anthropic, OpenAI, and Google all offer HIPAA-eligible deployments — but on specific infrastructure surfaces (typically Vertex AI for Google, Azure OpenAI for OpenAI, Anthropic on AWS Bedrock with BAA).

SOC2 audit is the security-attestation framework most B2B SaaS customers expect. SOC2 doesn't dictate specific controls but requires documented practices around security, availability, processing integrity, confidentiality, and privacy. For LLM systems, the audit-relevant areas include access control (who can see prompts/responses?), encryption in transit and at rest, change management for prompt templates, and incident response plans.

These frameworks are not mutually exclusive — many production deployments need to satisfy all three simultaneously, plus jurisdiction-specific additions (CCPA, PIPEDA, etc.). The good news: most controls satisfy multiple frameworks at once.

Data Residency

Data residency is the requirement that data be processed and stored in a specific geographic jurisdiction. EU customer data must stay in the EU; some healthcare data must stay in-country; some government contracts require US-only processing.

For LLM vendors, data residency translates to choosing the right deployment surface and region:

  • Anthropic on Bedrock: choose AWS regions in the right jurisdiction
  • OpenAI on Azure: choose Azure regions in the right jurisdiction
  • Gemini on Vertex AI: choose GCP regions in the right jurisdiction
  • Direct vendor APIs: typically less granular control over residency

Logging respects residency too — your structured logs (Chapter 9) need to live in the right region, not get shipped to a default US-based log aggregator.

Vendor Data Retention and Opt-Out of Training

Vendor data retention is how long the vendor keeps your prompts and responses. The default policies vary; the relevant fact for compliance is what the vendor commits to in their enterprise agreement:

  • Default consumer/developer tiers often retain inputs for some period (30 days for abuse monitoring is typical)
  • Enterprise tiers typically offer zero retention or short configurable retention
  • Healthcare/financial deployments typically commit to no retention beyond what's needed to return the response

Opt-out of training is the related and critical commitment: that the vendor will not use your prompts and responses to train future models. Default consumer tiers historically often defaulted to opt-in (your data trains models unless you opt out); enterprise tiers default to opt-out and contractually guarantee it. Verify this in writing for any sensitive workload — "we don't train on your data" is meaningless without contractual force.

Logging Privacy Risk

Logging privacy risk is the standing concern that your own logs (Chapter 9) become a privacy liability if they capture content they shouldn't. The major risks:

  • Raw prompts in logs that contain user PII
  • Raw responses in logs that contain PII the model surfaced from training data
  • Trace fields (user_id, session_id) that link to identifiable individuals when correlated with other systems
  • Long retention windows that accumulate years of personal data

The mitigations from Chapter 9 (PII detection, PII redaction, prompt truncation, retention policies) all apply directly. Logging is the privacy attack surface most teams under-estimate; treat it as the first-class compliance concern it is.

Privacy Primitives in Detail

Sensitive Field Redaction

Sensitive field redaction is the practice of identifying specific fields that should be masked before processing — the SSN field, the credit card field, the medical-record-number field — and removing them at the application boundary. Field-level redaction is more reliable than free-text PII detection (Chapter 9) for known sensitive fields; combine both.

A redaction-aware request might: redact the SSN field to XXXX-XX-1234 before sending the prompt to the LLM, log only the redacted version, and document the redaction in the audit trail. The downstream model never sees the raw SSN; if logs leak, the SSN doesn't.

Hashing Sensitive Strings and Tokenized Identifiers

Hashing sensitive strings is the practice of one-way-hashing fields that need to be present in some form (for joining, deduplication, indexing) but shouldn't be stored in cleartext. SHA-256 with a per-tenant salt is the standard. Hashing is not the same as encryption — you cannot reverse the hash, only verify whether a candidate matches.

A tokenized identifier is a similar concept with a different mechanism: replace a sensitive value (an email, a customer ID) with a randomly-generated token via a tokenization service (a key-value store mapping tokens to values, accessible only with proper authorization). Tokenized identifiers can be reversed to the original value when needed, but only by services with permission.

The choice between hashing and tokenization:

  • Hashing: when you only ever need equality comparison, never the original value
  • Tokenization: when you may need the original later but want to keep it out of routine log/data flows

Anonymization Strategy

An anonymization strategy is the broader policy for transforming personal data into non-personal-data form before LLM processing or logging. Genuine anonymization (irreversible, can't be re-identified) is harder than it sounds — common techniques like name removal often leave enough quasi-identifiers (zip code + birth date + gender) for re-identification.

The practical anonymization toolkit:

  • Field redaction for known sensitive fields
  • Free-text PII detection and replacement for unknown sensitive fragments
  • k-anonymity (group records so each is indistinguishable from at least k others)
  • Differential privacy (add calibrated noise to aggregates)

For LLM applications, full anonymization is often impractical (the user's query needs to be specific enough to answer). The realistic compromise: redact what can be redacted, document what couldn't, limit retention, and don't pretend the result is anonymous when it's only de-identified.

Compliance Risk

Compliance risk is the residual exposure after controls are in place — the probability times impact of a compliance failure. Risk assessments quantify it; risk registers track it; insurance covers it.

For LLM systems, the high-impact compliance failure modes include: prompt injection that exfiltrates other users' data through the model, log breaches that expose PII, vendor incidents that exfiltrate your prompts, training-data contamination by data you sent the vendor. The probability of each varies; the impact ranges from "annoying" to "company-ending."

Risk reduction is the work this chapter has been describing — controls layered such that no single failure produces catastrophic exposure.

Audit Trail

An audit trail is the chronological record of every event with compliance significance — who accessed what data when, what configurations were changed, what compliance-relevant requests were made. Audit trails are required by SOC2, useful for HIPAA, often subpoenaed during legal investigations.

For LLM systems, audit trail entries should include:

  • Every API key issuance, rotation, and revocation
  • Every change to prompt templates (treating them as code in a versioned system, every commit becomes an audit event)
  • Every change to budget policies and routing policies
  • Every privileged access to logs (especially logs that may contain PII)
  • Every compliance-related configuration change (retention policy edits, redaction rule changes)

The audit trail is its own data store, separate from operational logs, with its own retention policy (typically 7 years) and its own access controls (read-only for most, write-only for the application, full access for compliance officers).

Diagram: Privacy and Compliance Pipeline

Privacy and Compliance Pipeline

Type: workflow sim-id: privacy-compliance-pipeline
Library: Mermaid
Status: Specified

Purpose: Show how a single LLM request flows through the privacy and compliance controls — from input PII redaction through to audit trail emission — so the layered defense pattern is visible.

Bloom Level: Apply (L3) Bloom Verb: implement

Learning objective: Implement a privacy-and-compliance-aware LLM request pipeline that satisfies GDPR, HIPAA, and SOC2 requirements simultaneously.

Visual style: Vertical flow diagram with side annotations for each compliance framework

Steps: 1. User input received (with PII) 2. Field redaction (SSN, credit card, etc., replaced with placeholders) → audit event 3. Free-text PII detection on remaining content → tokenize names with reversible tokens 4. Prompt assembly with redacted/tokenized content 5. Region check: enforce data residency by routing to in-region LLM endpoint 6. LLM call with vendor on no-train, low-retention enterprise tier 7. Response received 8. Response PII detection (model may have surfaced PII from training data) 9. Re-tokenize identifiers in response back to readable form (only for authorized recipient) 10. Log line emitted: includes redacted prompt hash, no raw content, audit-trail event 11. Response delivered to user

Right-side annotations: - "GDPR: lawful basis documented" at step 1 - "HIPAA: PHI never leaves redaction boundary" at step 2 - "Data residency enforced" at step 5 - "SOC2: audit event for change to redaction policy" at step 11

Interactive controls: - Toggle each compliance framework on/off — show which controls are required by each - Click any step to see the failure mode if that control were missing

Implementation: Mermaid flowchart with side annotations, responsive layout

Compliance Mistakes Are Not Recoverable

Pemba cautioning Cost mistakes can be fixed by next month. Compliance mistakes — sending PHI to a non-BAA vendor, training a model on customer data without consent, retaining PII past its lawful basis — often can't. Once data is in the vendor's training set, you cannot remove it. Once a breach has been disclosed, the news cycle has happened. Build the controls before you ship; the team that has to add them retroactively is the one whose Q4 looks rough.

Putting It All Together

You can now operate batch workloads safely and meet the compliance bar that production deployments require. On the batch side: you handle batch job submission through the standard upload-and-submit pattern, track batch job status via either result polling or webhook notification, respect the batch window to capture the batch discount rate, and make the batch versus synchronous decision based on the workload's latency tolerance. You manage your own job queue, drive throughput optimization through batch sizing and concurrency, and ensure correctness with idempotency keys, a retry policy, and an exponential backoff strategy. On the compliance side: you understand and satisfy GDPR, HIPAA, and the SOC2 audit simultaneously. You enforce data residency by choosing the right vendor surface and regions; you negotiate vendor data retention and opt-out of training terms in enterprise agreements. You apply sensitive field redaction, hashing sensitive strings, tokenized identifiers, and a documented anonymization strategy to bound logging privacy risk and compliance risk. You maintain a separate audit trail with appropriate retention and access controls.

Chapter 20 is the capstone — putting all 19 chapters together into the projects, evals, and continuous-practice patterns that turn this book's contents into ongoing engineering capability.

Quick Self-Check — Click to Reveal Answers
  1. What's the difference between an idempotency key and a request_id? request_id uniquely identifies a single request; idempotency_key tells the vendor "if you've seen this key before, return the prior result instead of processing again." The vendor uses it to deduplicate retries.
  2. Why should LLM workloads on batch use webhooks instead of polling when possible? Polling consumes API calls and adds latency. Webhooks deliver completion notification immediately, with one less moving part.
  3. What does "opt-out of training" guarantee? That the vendor will not include your prompts and responses in training data for future models. The default tiers don't always include this; enterprise contracts do.
  4. Why is hashing not the same as anonymization? Hashing prevents recovery of the original value but allows equality comparison — two requests with the same SSN still hash to the same value. With enough auxiliary data, hashed records can often be re-identified.
  5. What goes in an audit trail vs. operational logs? Operational logs record what the application did (every LLM call, cost, latency). Audit trails record compliance-significant events: configuration changes, key rotations, prompt template versions, privileged access. Different retention, different access controls.

End of Chapter 19

Pemba celebrating Operations and compliance covered. Next chapter is the capstone — the projects, evals, and continuous practices that turn everything into long-term engineering capability.

See Annotated References