Privian
Get Started

Data path

Understand exactly what reaches the model

See how prompts move through Privian, what gets masked, what never reaches the LLM, and where Privian fits in your AI stack.

Read securityRead the docs

In one screen

The skeptical-buyer summary

Eight questions a security engineer, CTO or CISO usually asks first. Answers grounded in implementation, not marketing.

QuestionAnswer
What reaches the model?Your prompt with supported personal and sensitive values replaced by deterministic placeholders (PERSON_1, EMAIL_1, …). The provider sees the masked prompt only.
What never reaches the model?The original surface-form values for entities Privian successfully detected and masked. They are replaced before the outbound provider call.
What gets retained?Nothing of the raw prompt or rehydrated response body. Only structural counters and sanitized observability events (request id, model, token counts, latency, error class).
What does Privian store?Account data, BYOK provider credentials (AES-GCM encrypted at rest), API keys (hashed), usage rollups and sanitized event metadata.
Who can see your prompt content?Your application sends it, the upstream model provider receives the masked version, and the entity mapping lives in process memory for the request only. Privian staff cannot browse raw prompts because raw prompts are not retained.
What does Privian log?Structural counters and event metadata only — never raw prompt or response bodies. Observability events are sanitized before they leave the request.
What is deleted?The in-memory entity map and any decrypted provider key are discarded when the request ends. There is no raw prompt or response body to delete because none was written.
What are the limitations?Privian masks supported entity types only. Anything outside that set (custom internal identifiers, free-text descriptions of sensitive context, novel formats) reaches the provider unchanged. See the limitations section below.

Data path

How a request actually flows

Single in-memory pass. Nothing of the raw prompt or rehydrated response is written to storage.

Privian data path: the application sends a raw prompt to the Privian Gateway, which detects supported entities, masks them to placeholders like PERSON_1 and EMAIL_1, and resolves the BYOK credential in memory. The masked prompt crosses the BYOK boundary to the LLM provider (OpenAI, Anthropic, Google), which only sees masked content. The raw model response returns to the gateway, which rehydrates placeholders to originals, emits a sanitized event with no bodies, and discards the entity map and decrypted key. Persisted: account, BYOK credential (AES-GCM at rest), hashed API keys, usage rollups, sanitized events. Not persisted: raw prompt body, rehydrated response body, entity map, decrypted provider key.
Supported sensitive values are masked before prompts reach the model and rehydrated after the response returns.

Region & residency

Where requests are processed

Said plainly so there is no ambiguity in a procurement review.

  • Privian runs on managed serverless infrastructure. There is no customer-selectable region pinning or data-residency tier today.
  • Privian is a privacy layer in front of managed model providers. It does not provide self-hosted inference.
  • BYOK is supported. The upstream provider call uses your credential, and the provider's own region settings apply on their side.
  • If strict regional residency is a hard requirement, self-hosted inference is the right tool — see Privian vs self-hosted LLMs.

In the prompt

What reaches the model

  • Your prompt text with detected supported entities replaced by tokens like PERSON_1, EMAIL_1, PHONE_1.
  • Model and routing parameters you set (model id, temperature, max tokens, etc.).
  • Any free-text in your prompt that does not match a supported entity pattern — Privian does not invent classifications for it.

Placeholders are deterministic within a request — the same value mentioned three times becomes the same token three times, so the model can still reason about co-reference. On the way back, tokens are replaced with the original values inside the gateway before the response returns to your application.

In the prompt

What never reaches the model

  • The original surface form of any entity Privian successfully masked before the outbound call.
  • Your BYOK provider credentials themselves — they are used to authenticate the request, not embedded in prompt content.
  • Internal request metadata (your Privian API key, account id, billing context).

Privian does not overclaim here. If a value falls outside the supported entity set, it is not masked and will reach the provider unchanged. The supported set is listed on PII masking.

At rest

What gets retained

Retained

  • Account, billing and BYOK credential records (credentials encrypted with AES-GCM, decrypted only in process for the request).
  • Hashed API keys.
  • Usage rollups (token counts, request counts, latency aggregates per period).
  • Sanitized observability events (request id, model, status, error class) — no prompt or response bodies.

Not retained

  • Raw prompt bodies.
  • Rehydrated response bodies.
  • The per-request entity mapping (PERSON_1 → real value). It lives only in process memory for the lifetime of the request.
  • Decrypted provider keys. They exist only in process for the request and are discarded on completion.

Trust boundary

Who can see your data

A calm honest read of which actors see what. No unsupported guarantees.

  • Your application

    Sees everything

    It is the source of the prompt and the consumer of the rehydrated response. Privian does not change that.

  • Privian (data plane)

    Sees the request in memory only

    Detection, masking, the BYOK provider call and rehydration happen in a single in-memory pass. Bodies are not written to storage.

  • Upstream provider

    Sees the masked prompt

    OpenAI, Anthropic, Google etc. receive your prompt with supported entities replaced by tokens. Their terms apply from there.

  • Privian staff

    Cannot browse raw prompts

    Raw prompt and response bodies are not retained, so there is no operator console for them. Support work uses request ids and sanitized events.

In your stack

Where Privian fits

One privacy layer inside a broader AI control stack — not a replacement for governance, self-hosted inference or prompt-injection defense.

Your application  →  Privian  →  Managed model provider

Privian is:                       Privian is not:
  prompt-level data protection      governance / policy engine
  privacy-first routing             self-hosted inference
  BYOK + no raw-prompt retention    prompt-injection / jailbreak defense
  small JSON contract               audit-log product

Fit

When to use Privian

  • Customer support AI where messages contain names, emails, account ids and free-text from end users.
  • Internal copilots that draft from tickets, HR records, support transcripts or CRM notes.
  • SaaS AI features built on top of managed providers (GPT, Claude, Gemini) where prompts reflect customer data.
  • Privacy-sensitive workflows where you want one place to enforce masking before a managed model sees a prompt.

Honest fit

When NOT to use Privian

Cases where another approach is the right tool. Said plainly.

  • Workloads where regulation or policy requires that no data ever leaves a controlled environment — that is a self-hosted inference problem, not a gateway problem.
  • Use cases where the primary requirement is prompt-injection or jailbreak defense — that is a separate product category from prompt privacy.
  • Teams that need full governance tooling (per-tenant AI off-switches, fine-grained policy engines, end-to-end audit logging) — Privian is a focused privacy layer, not a governance platform.
  • Drop-in replacement for the OpenAI SDK — Privian exposes a small JSON contract, not SDK-level compatibility today.

Tradeoffs

Privian vs self-hosted models

Two different shapes of risk reduction. Neither is universally right.

  • Self-hosted models

    Strong isolation, higher operating cost

    Best when policy or regulation requires that data never leaves a controlled environment. You take on inference operations, capacity planning and model maintenance.

  • Managed models + Privian

    Managed-model quality with prompt-level masking

    Use GPT, Claude or Gemini, but mask supported sensitive values before the prompt reaches them, keep BYOK, and avoid raw-prompt retention at the gateway.

  • Hybrid

    Route by sensitivity

    Highly sensitive workflows go to self-hosted inference; lower-risk workflows use managed providers through Privian. Common pattern for teams that want both.

Full side-by-side: Privian vs self-hosted LLMs.

Limitations

What Privian does not do today

Read this list as the trust boundary. If your requirement is on this list, Privian is not the right tool — at least not on its own.

  • Detects and masks supported entity types only; custom user-defined entity types are not supported yet.
  • No tool / function calling in the current beta.
  • No native provider token streaming yet — stream: true returns artificially chunked text.
  • No claim to detect or block prompt injection or jailbreaks.
  • No HIPAA / SOC 2 / PCI certifications at this time.
  • No tenant-level governance controls, audit log product or per-tenant AI off-switch.

FAQ

Frequently asked questions

What reaches the model when I call Privian?
The prompt you sent with supported personal and sensitive values replaced by deterministic placeholders (PERSON_1, EMAIL_1, …). Anything that does not match a supported entity type is passed through unchanged.
Does Privian store my prompts?
No. Raw prompt bodies and rehydrated response bodies are not written to storage. Privian retains structural counters and sanitized observability events, plus your account, billing, hashed API keys and AES-GCM-encrypted BYOK credentials.
Can Privian staff read my prompts?
Operators cannot browse raw prompts because raw prompts are not retained. Support work uses request ids and sanitized event metadata.
What does OpenAI, Anthropic or Google see?
The masked prompt. They never receive the original values that Privian successfully detected and masked. Anything outside the supported entity set is passed through unchanged, and the provider's own terms apply from there.
What does BYOK change?
With BYOK, the call to the upstream provider is authenticated with your own provider key, decrypted only in process for the request. Billing, provider-side rate limits and provider-side terms are between your account and the provider.
When should I choose self-hosted inference instead?
When policy or regulation requires that data never leaves a controlled environment, when you cannot rely on any third-party model provider, or when you need a level of isolation that any hosted gateway by definition cannot provide. See Privian vs self-hosted LLMs.
Does Privian support regional data residency?
Not today. Privian does not currently offer customer-selectable data residency or region pinning. Requests are processed on managed serverless infrastructure and routed to the managed model provider you configure via BYOK; the provider's own region settings apply on their side. If strict residency is a hard requirement, self-hosted inference is the right tool — see Privian vs self-hosted LLMs.

Trust

Related trust resources

The same picture from different angles — procurement-friendly references.

Plans & pricing

Explore plans for teams building privacy-sensitive AI workflows

Pricing for the Privian gateway is published transparently. Beta plans may change.

View pricingRead the docs

Keep reading

Related