Compliance
Privian is in beta. This page describes the privacy posture that is currently implemented — not certifications Privian does not yet hold.
What is in place today
- Data minimization. The gateway only requires what is necessary to mask and route a prompt.
- No raw-prompt retention. Raw prompts and raw entity values are never logged, persisted, or echoed in metadata.
- Masked egress. Providers receive only the masked prompt.
- Encrypted BYOK credentials. Provider API keys are encrypted at rest with AES-GCM.
- Sanitized observability. Telemetry flows through a sanitizer that redacts email/phone shapes before any sink receives it.
- Gateway key hashing. Gateway API keys are stored only as
sha256(key).
What is not claimed today
Privian does not claim HIPAA, SOC 2, ISO 27001, PCI-DSS, or other formal compliance certifications. Privian is not currently positioned for regulated healthcare, legal, or financial workloads that require those certifications. If your use case requires formal attestations today, Privian is not the right fit.
Customer responsibility
- You select the downstream provider and accept their retention and processing terms for the masked traffic Privian forwards.
- You manage gateway API key rotation and revocation in your own systems.
- You are responsible for ensuring the data you send is permitted by your own privacy and regulatory obligations.
Future / roadmap (not yet implemented)
- Formal certifications and audit reports.
- Region-pinned deployments.
- Customer-managed encryption keys for BYOK.
These are stated as direction, not commitments or current capabilities.