Skip to content
in/guard/out
in/guard/out

Privacy

PII never reaches the model provider

Every prompt your app sends to a third-party model is a potential disclosure: names, emails, phone numbers, card and account numbers, national IDs. Blocking them outright breaks the feature; sending them raw is a compliance problem. The proxy does neither.

Inbound, Microsoft Presidio (with spaCy NER) detects PII above a configurable confidence threshold and replaces each value with a stable placeholder – the model, and the provider behind it, only ever see <PERSON_2> or <EMAIL_ADDRESS_1>. Outbound, as the very last stage, the placeholders are swapped back to the real values, so your application receives a normal, usable answer.

The placeholder-to-value map lives in memory for the single request and is never written to the database. Logs store the screened form by default. And because the proxy created the placeholders, it knows exactly which tokens are sensitive – which is what makes taint tracking on agent tool calls possible.

§01 How screen & restore works

Detect

Presidio + spaCy NER find PII entities – person names, emails, phones, cards, SSNs, IBANs and more – above your configured confidence threshold. The entity set is configurable.

Screen

Each value becomes a stable placeholder, so repeated mentions map to the same token and the model can still reason about the text coherently.

Restore

The final outbound stage swaps placeholders back to real values. Your app gets usable output; the provider never saw the originals.

Contain

On agent traffic, taint tracking blocks screened values and detected secrets from leaving through tool-call arguments – unless the tool is explicitly allowed to receive that entity type.

§02 Frequently asked questions

Does the LLM provider ever see real personal data?

No. PII is replaced with placeholders before any request reaches the model provider. The provider sees screened text only. Unscreened values are restored in the response your application receives.

Is the PII map stored anywhere?

No. The placeholder-to-value map exists in memory for the duration of one request and is never persisted. Transcript logs store the screened form by default.

Which entities are detected?

Names, emails, phone numbers, credit cards, SSNs and national IDs, IBANs, IP addresses, crypto addresses and more – powered by Presidio, with the entity list and confidence threshold configurable per deployment.

Does screening break the model’s answer?

Placeholders are stable per value, so the model reasons over consistent tokens and the restore step returns a natural answer. The grounding checks compare against the screened source, so placeholders are never mistaken for changed values.

§03 Related guardrails

See PII never reach your provider

Test with real data: watch names, emails, and card numbers become placeholders before leaving your boundary. We are running a limited demo - sign up and we will get you in as soon as we can.