How it works

The gateway keeps personal data on-shore while you use any public LLM. It sits on the egress path, swaps every identifier for a placeholder before the prompt crosses the border, lets the model answer on the placeholders, and restores the real values on the way back — so nothing sensitive ever leaves your network.

The round-trip

Draft a reply to Hans Muster (AHV 756.1234.5678.97, IBAN CH93 0076 …)
        │  🛡  the only thing that crosses the border ↓
Draft a reply to [PERSON_1] ([AHV_1], [IBAN_1])
        │  the model answers on placeholders ↓
"Dear [PERSON_1], we'll refund CHF 240 within five business days…"
        │  🛡  restored on the way back ↓
"Dear Hans Muster, we'll refund CHF 240 within five business days…"

The model produces a correct, personalised answer having only ever seen [PERSON_1]. Even if the provider logs every prompt, it logged placeholders.

Deterministic by design

The detection is not an LLM and not a cloud API — both would defeat the purpose (you cannot use an unreliable thing as your reliability boundary, and a cloud “PII API” means you have already sent the data away to find it). It is regex plus checksums, run locally:

The checksums are what make it trustworthy: a random 13-digit string is not flagged, and a real AHV cannot slip through by being reformatted. It runs air-gapped and fails closed — if something looks like an identifier, it is withheld, not waved through. The principle is old and dull and correct: never trust the model to police itself; put a deterministic code boundary around it.

In production

Where it stops

Defence in depth, deliberately dumb — the outer layer, not the only one.

← Try the live gateway  ·  Does it cost utility? →