PII firewall for LLM calls

The prompt leaves.
The secrets don't.

Cloak swaps every email, card, and secret for a reversible token before your prompt hits OpenAI or Claude — then restores the real values in the reply.

support_ticket_4821.txt UNREDACTED
customer: Dr. Jane Doe«PERSON_1» email: john.smith@acme.com«EMAIL_1» card: 4242 4242 4242 4242«CARD_1» ssn: 123-45-6789«SSN_1» api_key: sk-ant-api03-Xy7Kp2Lm9…«KEY_1» summarise the risk and next steps

Why it matters

Once PII is in someone else's logs, you can't take it back.

€20M
Max GDPR fine, or 4% of global revenue — whichever hurts more.
30–90d
How long third-party providers retain prompt data for abuse review.
0
Sensitive values that leave your process once Cloak is in front.

How it works

Three steps. Your code barely changes.

Cloak is a boundary, not a rewrite. It redacts on the way out, lets the model reason over stable tokens, and restores the real values on the way back — so the same customer is still the same customer to the model.

STEP 01

Redact outbound

Every detected value becomes a stable token. The same email always maps to the same token, so context survives.

STEP 02

Call the LLM

Only tokens cross the wire. The model summarises, classifies, and reasons exactly as before — it never sees a real value.

STEP 03

Restore inbound

Tokens in the response are swapped back to the real values, in-process. Your app gets a normal answer.

Drop-in, three ways

Fits the code you already have.

Dependency-free, ~300 lines of Node. Wrap a function, call it manually, or run it as an OpenAI-compatible proxy and change nothing but the base URL.

1 · Wrap your call2 lines
// PII redacted out, restored back — automatically
const safeChat = cloak.guard(openaiChat);
const reply = await safeChat(
  "refund john@acme.com on card 4242 4242 4242 4242"
);
2 · Manual controlredact / restore
const { redacted, vault } = cloak.redact(text);
const out = await llm(redacted);
return cloak.restore(out, vault);
// vault never leaves the process
3 · As a proxy — point your SDK at it, change one lineOpenAI-compatible
$ node examples/proxy.js            # /v1/chat/completions on :8787
# then, in your app:
new OpenAI({ baseURL: "http://localhost:8787" })   // ← the only change
# every message is redacted before it forwards upstream, and the
# model's reply is un-redacted on the way back to you.

Out of the box

What Cloak catches.

Regex-plus-validation detectors — credit cards are Luhn-checked, so an order number never gets mistaken for a card. Black chips are PII; red chips are secrets.

Email Credit card · Luhn SSN IBAN Phone IP address Person name AWS key OpenAI / Anthropic key Stripe key GitHub token JWT

Pricing

Start free. Pay when compliance asks for a paper trail.

The core engine is free and self-hosted forever. Pro adds the things an auditor wants to see.

Open Core
$0
self-hosted · MIT
  • All regex + Luhn detectors
  • Reversible tokens & sessions
  • Custom patterns + allow-lists
  • CLI, guard(), proxy · unlimited
npm i @cloak/redact
Pro
$49/mo
per service · 14-day trial
  • ML name & address detection
  • Policy packs — HIPAA · GDPR · PCI
  • Tamper-evident redaction receipts
  • Managed entity dictionaries
  • Team audit log
Start trial
Enterprise
Talk
annual · self-hosted
  • SSO / SAML, SCIM
  • Signed DPA & BAA
  • Air-gapped deployment
  • Support SLA + review
Book a call