Security

Privian security model

How Privian reduces sensitive data exposure in LLM workflows with masking, privacy-first routing and zero raw prompt retention.

Overview

What Privian's security model is for

Privian focuses on one specific problem: reducing the amount of sensitive data that ever reaches an LLM provider. It is a privacy-reduction control on the egress path — not a full LLM security suite, not a compliance program, and not a substitute for content moderation or downstream model governance.

Prompt privacy is one layer in an enterprise security posture; it complements rather than replaces application security, governance and provider review.
From top to bottom: governance and policy, application minimization, a gateway that masks and routes, the BYOK provider boundary, and provider-side controls.01 · Governance & policyDocuments intent02 · Application minimizationDrops fields upstream03 · Gateway: mask + route + retainIn the request path04 · BYOK provider boundaryCustomer owns the key05 · Provider-side controlsTier, retention, region
Layered AI controlsNo single layer is sufficient. Each compensates for the others' gaps.

In scope

What Privian protects

Privian helps reduce exposure of supported sensitive values in prompts before they leave your trust boundary:

  • Personal identifiers

    Names, emails, phone numbers, IP addresses.

  • Financial & national IDs

    Credit cards (Luhn-validated), IBANs, US SSN, Canadian SIN.

  • Developer secrets

    JWTs, OpenAI keys, GitHub tokens, AWS keys, generic API keys, env-style secrets.

  • Prompt egress

    The provider receives the masked prompt only. Original values are restored after the response.

Out of scope

What Privian does not currently claim

We are explicit about what Privian is not. The current beta does not claim to:

  • Block prompt injection
  • Prevent jailbreak attempts
  • Provide content moderation
  • Guarantee downstream model behavior
  • Replace an enterprise security program
  • Provide HIPAA, SOC 2 or PCI compliance
  • Secure tool / function calling
  • Support native provider token streaming

Retention

Data retention and storage

The gateway is designed around zero raw retention:

  • • Raw prompts are not stored.
  • • Rehydrated responses are not stored.
  • • The per-request placeholder → value map lives only in memory and is discarded after the response.
  • • Sanitized observability events (model, status, latency, entity counts) and rollup metrics are stored — no payload content.

Credentials

API key and provider credential handling

  • Gateway API keys are stored as a SHA-256 hash. The plaintext is shown once at creation and is never recoverable from Privian.
  • BYOK provider credentials (OpenAI, Anthropic, Google, DeepSeek) are encrypted with AES-256-GCM at rest. The plaintext is discarded immediately after encryption.
  • Client-visible credential metadata is limited to the last four characters and a non-reversible HMAC fingerprint. Ciphertext, IV and master keys never leave the server.

Masking

Masking security model

Supported sensitive values are detected and replaced with deterministic placeholders before any outbound provider call. The provider receives the masked prompt only. Rehydration happens in-memory inside the gateway before the response is returned to your application. The token map is request-scoped and is discarded after response.

Threat model

Threat model boundaries

Privian addresses sensitive data exposure on the prompt egress path. It does not defend against malicious prompts crafted by end users, model misuse downstream of the response, abuse of your own application's authorization, or attacks against the provider itself. Use it alongside — not instead of — your existing application security and governance controls.

Transparency

Beta limitations

  • No OpenAI messages[] API
  • No OpenAI SDK drop-in
  • No tool / function calling
  • Artificial streaming only
  • No custom user-defined entities yet
  • No Norwegian fødselsnummer yet
  • No prompt-injection blocking claim
  • No HIPAA / SOC 2 / PCI certification

Enterprise reviews

Common enterprise questions

The questions that come up most often in enterprise AI security reviews, with short, honest answers. For the longer treatment, see how enterprise AI security reviews have changed.

Do you store prompts?
No. Raw prompts and rehydrated responses are not persisted.
What reaches the model?
The masked prompt only. Supported sensitive values are replaced with deterministic placeholders before any outbound provider call.
Can Privian employees see prompts?
No raw prompts exist on the request hot path beyond in-memory request scope. There is no production tooling that surfaces prompt or response bodies to staff.
What is retained?
Sanitized observability events (model, status, latency, entity counts), rollup metrics, hashed gateway API keys, and encrypted BYOK credentials. No prompt or response bodies. No raw entity values.
What does BYOK change?
BYOK keeps your provider relationship — keys, billing, contract terms, retention — with you. Privian uses your key to call the provider on your behalf and never resells provider access.
Where is data processed?
Inside the Privian gateway runtime and your configured LLM provider. The gateway runs on managed infrastructure; the provider region is determined by your provider account configuration.
Is there a subprocessor list?
Yes — see subprocessors.

FAQ

Security FAQ

Does Privian store prompts?
No. Raw prompts and rehydrated responses are not persisted. Only sanitized observability events (counters, latencies, model, entity counts) and rollup metrics are stored.
Does the LLM provider see original sensitive values?
No. The provider only sees the masked prompt, where sensitive values have been replaced with deterministic placeholders such as PERSON_1 and EMAIL_1.
Does Privian stop prompt injection?
No. Privian does not currently claim to block prompt injection, jailbreak attempts or unsafe model output. Its focus is reducing sensitive data exposure in prompts before they reach the provider.
How are provider keys handled?
Provider keys are encrypted with AES-256-GCM at rest. The plaintext is discarded immediately after encryption. Only safe metadata (last4 + a non-reversible HMAC fingerprint) is returned to the client. The gateway hot path resolves credentials server-side and never exposes plaintext.
Is Privian compliant with HIPAA, SOC 2 or PCI?
No. Privian does not claim HIPAA, SOC 2 or PCI compliance today. It is a privacy-reduction control, not a substitute for a compliance program.
What data types are currently masked?
Personal identifiers (PERSON, EMAIL, PHONE, IP_ADDRESS), financial and national identifiers (CREDIT_CARD, IBAN, SSN_US, SIN_CA), and developer secrets (JWT, OPENAI_API_KEY, GITHUB_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GENERIC_API_KEY, ENV_SECRET, SECRET_TOKEN). Norwegian fødselsnummer is not yet supported.

Blueprint

Privian Blueprint