Security
Privian security model
How Privian reduces sensitive data exposure in LLM workflows with masking, privacy-first routing and zero raw prompt retention.
Overview
What Privian's security model is for
Privian focuses on one specific problem: reducing the amount of sensitive data that ever reaches an LLM provider. It is a privacy-reduction control on the egress path — not a full LLM security suite, not a compliance program, and not a substitute for content moderation or downstream model governance.
Prompt privacy is one layer in an enterprise security posture; it complements rather than replaces application security, governance and provider review.
In scope
What Privian protects
Privian helps reduce exposure of supported sensitive values in prompts before they leave your trust boundary:
Personal identifiers
Names, emails, phone numbers, IP addresses.
Financial & national IDs
Credit cards (Luhn-validated), IBANs, US SSN, Canadian SIN.
Developer secrets
JWTs, OpenAI keys, GitHub tokens, AWS keys, generic API keys, env-style secrets.
Prompt egress
The provider receives the masked prompt only. Original values are restored after the response.
Out of scope
What Privian does not currently claim
We are explicit about what Privian is not. The current beta does not claim to:
- Block prompt injection
- Prevent jailbreak attempts
- Provide content moderation
- Guarantee downstream model behavior
- Replace an enterprise security program
- Provide HIPAA, SOC 2 or PCI compliance
- Secure tool / function calling
- Support native provider token streaming
Retention
Data retention and storage
The gateway is designed around zero raw retention:
- • Raw prompts are not stored.
- • Rehydrated responses are not stored.
- • The per-request placeholder → value map lives only in memory and is discarded after the response.
- • Sanitized observability events (model, status, latency, entity counts) and rollup metrics are stored — no payload content.
Credentials
API key and provider credential handling
- Gateway API keys are stored as a SHA-256 hash. The plaintext is shown once at creation and is never recoverable from Privian.
- BYOK provider credentials (OpenAI, Anthropic, Google, DeepSeek) are encrypted with AES-256-GCM at rest. The plaintext is discarded immediately after encryption.
- Client-visible credential metadata is limited to the last four characters and a non-reversible HMAC fingerprint. Ciphertext, IV and master keys never leave the server.
Masking
Masking security model
Supported sensitive values are detected and replaced with deterministic placeholders before any outbound provider call. The provider receives the masked prompt only. Rehydration happens in-memory inside the gateway before the response is returned to your application. The token map is request-scoped and is discarded after response.
Threat model
Threat model boundaries
Privian addresses sensitive data exposure on the prompt egress path. It does not defend against malicious prompts crafted by end users, model misuse downstream of the response, abuse of your own application's authorization, or attacks against the provider itself. Use it alongside — not instead of — your existing application security and governance controls.
Transparency
Beta limitations
- No OpenAI messages[] API
- No OpenAI SDK drop-in
- No tool / function calling
- Artificial streaming only
- No custom user-defined entities yet
- No Norwegian fødselsnummer yet
- No prompt-injection blocking claim
- No HIPAA / SOC 2 / PCI certification
Enterprise reviews
Common enterprise questions
The questions that come up most often in enterprise AI security reviews, with short, honest answers. For the longer treatment, see how enterprise AI security reviews have changed.
- Do you store prompts?
- No. Raw prompts and rehydrated responses are not persisted.
- What reaches the model?
- The masked prompt only. Supported sensitive values are replaced with deterministic placeholders before any outbound provider call.
- Can Privian employees see prompts?
- No raw prompts exist on the request hot path beyond in-memory request scope. There is no production tooling that surfaces prompt or response bodies to staff.
- What is retained?
- Sanitized observability events (model, status, latency, entity counts), rollup metrics, hashed gateway API keys, and encrypted BYOK credentials. No prompt or response bodies. No raw entity values.
- What does BYOK change?
- BYOK keeps your provider relationship — keys, billing, contract terms, retention — with you. Privian uses your key to call the provider on your behalf and never resells provider access.
- Where is data processed?
- Inside the Privian gateway runtime and your configured LLM provider. The gateway runs on managed infrastructure; the provider region is determined by your provider account configuration.
- Is there a subprocessor list?
- Yes — see subprocessors.
FAQ
Security FAQ
- Does Privian store prompts?
- No. Raw prompts and rehydrated responses are not persisted. Only sanitized observability events (counters, latencies, model, entity counts) and rollup metrics are stored.
- Does the LLM provider see original sensitive values?
- No. The provider only sees the masked prompt, where sensitive values have been replaced with deterministic placeholders such as PERSON_1 and EMAIL_1.
- Does Privian stop prompt injection?
- No. Privian does not currently claim to block prompt injection, jailbreak attempts or unsafe model output. Its focus is reducing sensitive data exposure in prompts before they reach the provider.
- How are provider keys handled?
- Provider keys are encrypted with AES-256-GCM at rest. The plaintext is discarded immediately after encryption. Only safe metadata (last4 + a non-reversible HMAC fingerprint) is returned to the client. The gateway hot path resolves credentials server-side and never exposes plaintext.
- Is Privian compliant with HIPAA, SOC 2 or PCI?
- No. Privian does not claim HIPAA, SOC 2 or PCI compliance today. It is a privacy-reduction control, not a substitute for a compliance program.
- What data types are currently masked?
- Personal identifiers (PERSON, EMAIL, PHONE, IP_ADDRESS), financial and national identifiers (CREDIT_CARD, IBAN, SSN_US, SIN_CA), and developer secrets (JWT, OPENAI_API_KEY, GITHUB_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, GENERIC_API_KEY, ENV_SECRET, SECRET_TOKEN). Norwegian fødselsnummer is not yet supported.
Blueprint
Privian Blueprint
Trust
Related trust resources
The same picture from different angles — procurement-friendly references.
Trust & Security Review Center
Procurement-ready hub: data path, retention, BYOK and scope.
Data path
What reaches the model, what stays, what is logged.
GDPR and LLMs
How prompt-level controls fit EU privacy expectations.
Sub-processors
Providers Privian uses and what each one sees.
Privacy
Privacy notice for the Privian application and gateway.
