Security & Privacy
Security & Privacy

Security You Can Verify

Zero-knowledge architecture means we never see your data. Our multi-layered detection engine ensures sensitive information is scrubbed before it reaches any AI. We publish our threat model so you can verify our claims.

Security Principles

Our architecture is built on four foundational security principles that ensure your data remains private.

Zero-Knowledge Architecture

PrivaiShield is designed so that we never have access to your raw data. All redaction and re-identification happens in your browser. Our servers never receive, process, or store unredacted content.

Entity recognition engine runs entirely in the browser
Token-to-original mapping stored only in your browser
No server-side logging of prompt content
We cannot decrypt your data even if compelled

In-Browser Processing

The real-time entity recognition engine runs entirely within the browser. Standard mode identifies 19+ entity types instantly. Enhanced mode adds deep learning–powered NER on the server for names and context-dependent data — two layers working together.

Real-time entity recognition runs in-browser
No internet connection required for standard detection
Enhanced mode adds server-side deep learning NER
Works on any modern browser — desktop and mobile

No Raw Data Storage

We do not store your original text, documents, or files anywhere. The only data that leaves your browser is already fully anonymized. Even our usage analytics contain no PII.

No server-side data persistence
Sanitized prompts are not stored after processing
Audit logs contain only metadata, never content
Data retention: zero days for content data

End-to-End Encryption

All data in transit is encrypted with TLS 1.3. Data at rest (token vault, configuration) is encrypted with AES-256-GCM. Encryption keys are derived from your credentials and never leave your device.

TLS 1.3 for all network communication
AES-256-GCM for local data at rest
AWS KMS customer-managed keys
Perfect forward secrecy for all sessions

Threat Model

We publish our threat model transparently so you can evaluate our security posture.

Threat
Mitigation
Status
AI provider sees PII
All PII is replaced with reversible tokens before leaving device
Mitigated
Man-in-the-middle attack
TLS 1.3 for all connections
Mitigated
Local data breach
AES-256-GCM encryption with AWS KMS customer-managed keys
Mitigated
PrivaiShield operator access
Zero-knowledge architecture — we never receive raw data
Mitigated
Model inference attack
Consistent token replacement prevents entity reconstruction
Mitigated

Certifications & Audits

We back our security claims with independent verification.

HIPAA

BAA available for healthcare customers

GDPR

Data processing agreement included

Encryption Details

Data in Transit

  • TLS 1.3 enforced on all endpoints
  • HSTS with max-age of 1 year, includeSubDomains
  • No fallback to older TLS versions

Data at Rest

  • AES-256-GCM for token vault encryption
  • AWS KMS customer-managed keys for key management
  • Unique encryption keys per user, per device
  • Keys never transmitted or stored server-side

Chat Storage Options

PrivaiShield offers two storage modes for your chat history. The default is local storage for maximum privacy.

Local Storage

Default

Chat history stays on your device using browser IndexedDB. Prompts are still sent to the server for AI processing, but conversations are not stored server-side. Lost if browser data is cleared. Single device only.

  • Chat history never leaves your device
  • No server dependency for storage
  • Prompts processed securely via server

Server Storage

Opt-in

Encrypted with AES-256-GCM using AWS KMS customer-managed keys. Accessible from any device. Can be deleted at any time from Account Settings.

  • Access from any device
  • AES-256-GCM encryption with AWS KMS
  • Delete at any time from Account Settings

When switching from server to local storage, all server-stored chats are permanently deleted. You can change your storage preference in Account > Chat & Privacy.

Questions about our security?

Our security team is available to answer questions and provide documentation for your compliance review.

Contact Security TeamHow It Works