CloakPipe is built as four distinct product surfaces — the Rust proxy, the encrypted vault, the policy engine, and the audit layer. The proxy is open source under Apache 2.0. Everything above it is the commercial platform that closes enterprise deals in regulated industries. Each layer adds value on top of the last.
A Rust-native reverse proxy that intercepts AI API calls, pseudonymizes outbound data, and rehydrates inbound responses in real-time — under 50 ms p95, including the full detection pipeline. Eight Rust crates compiled to a single native binary. Your application changes exactly one line: the base URL.
Change your base URL from api.openai.com to your CloakPipe endpoint. No other code changes. Works with LangChain, LlamaIndex, CrewAI, curl, and any OpenAI-compatible client.
LLMs stream token-by-token. CloakPipe maintains a sliding window, detects pseudonymized tokens mid-stream, looks up real values from the vault, and splices them in — without buffering or breaking the SSE contract.
Route to OpenAI, Anthropic, Google, AWS Bedrock, Azure OpenAI, or any self-hosted model via vLLM or Ollama. Apply different masking policies per provider — strict for closed models, lighter or bypassed for self-hosted.
A Model Context Protocol server exposing mask_text, mask_file, unmask_in_context, and scan_directory tools. AI agents can call CloakPipe directly as a tool from Claude Desktop, Cursor, or any MCP client.
Detection is deliberately commoditized — CloakPipe does not lock you into a single model. The proxy runs a tiered pipeline where each tier escalates only as needed: what regex catches deterministically, the neural models never see; what one model misses, the ensemble catches. OpenAI Privacy Filter scores 96% on synthetic benchmarks but Tonic.ai measured 18–65% on real-world EHR notes, call transcripts, and loan contracts. No single model catches everything — which is why the pipeline tiers.
An encrypted tokenization vault that stores the mapping between real sensitive data and pseudonymized tokens. The vault is the source of truth — and the reason pseudonymization is reversible under policy, not a one-way redaction. Without a vault, data goes in and nothing useful comes out.
Every real value stored in the vault is encrypted with AES-256-GCM. Nothing real exists outside the vault — the clean prompt that reaches the provider contains zero original sensitive data.
Bring your own keys via AWS KMS, GCP Cloud KMS, Azure Key Vault, or HashiCorp Vault Transit. Envelope encryption with customer-managed root keys — you never hand CloakPipe the keys to your customer's data.
The same input always produces the same token within a tenant's scope, preserving entity consistency across conversations and batches. Format-preserving FF1 (NIST SP 800-38G) keeps cards Luhn-valid and emails email-shaped.
Each customer gets their own vault namespace with their own encryption keys. No cross-tenant data access is possible at the cryptographic level.
Tokens can expire after a single conversation, after a configurable TTL, or persist indefinitely for ongoing workflows. Scope the lifetime to the sensitivity of the workload.
Encryption keys rotate on a configurable schedule without disrupting active tokens. Old tokens remain decryptable; new tokens use the latest key. No downtime, no migration.
A policy engine that defines what gets masked, for which models, for which teams, and who can unmask. Policies are code, versioned in Git, and enforced automatically on every request — backed by OPA (Open Policy Agent) or Cedar for sub-millisecond authorization decisions.
"Mask all patient names when routing to external models." "Block financial amounts from reaching any provider." "Allow internal model calls unmasked." Per entity type, per action.
Maximum masking for OpenAI, Anthropic, and Google. Bypass for self-hosted vLLM. Mask only financial data for Venice TEE models. Per provider, per masking level.
"Legal: mask everything, no exceptions. Engineering: mask PII, allow code. Data science: unmasked access to internal models only." Per RBAC role, mapped from SAML / OIDC.
Unmasking decided at runtime from who is asking, their role, the data's sensitivity, and the workflow context. A sales agent cannot unmask medical records; a supervising physician can — but only during an active case review.
Define domain-specific entity types via regex, keyword lists, or NER labels: medical record numbers, case docket IDs, insurance policy numbers, internal employee IDs — whatever your domain requires.
Defined in YAML, backed by OPA or Cedar. Every change is a versioned commit; every evaluation is an audit event. Policies are testable, reviewable, and deployable through standard CI/CD.
A compliance and observability layer that records every privacy-relevant event, generates compliance evidence, and integrates with your existing monitoring stack. Audit logs never contain raw sensitive data — they record what types of data were processed and what actions were taken, not the values. The audit trail is itself privacy-safe.
Every request (timestamp, caller, source IP, destination provider), every detection event (entity types, confidence, model used), every masking action, every unmask request, and every policy evaluation — plus full latency metrics.
The trail records that a DIAGNOSIS was masked for request req_8af9c2 — never the diagnosis itself. Evidence of control without becoming a second copy of the data you are protecting.
Exportable evidence for HIPAA (PHI masked before processors), GDPR/DPDP (data minimization), SOC 2 Type II (access & encryption controls), EU AI Act (de-identification), and PCI-DSS (tokenized cardholder data).
Structured traces, metrics, and logs from day one. Export to Datadog, Grafana, Splunk, Honeycomb, Prometheus, or any OTEL collector. Pre-built dashboards for detection rates, entity distribution, latency percentiles, and unmask patterns.
Every prompt, response, and tool call passes the same per-request hot path: authenticate, evaluate policy, detect, pseudonymize and write to the vault, forward a clean prompt, stream back, rehydrate, and emit an audit event. All of it in Rust, transparently, with a sub-50 ms p95 target.
| Component | Technology | Why |
|---|---|---|
| Proxy runtime | Rust / Axum / Tower | Sub-millisecond overhead per request. Zero-cost abstractions. Memory safety without GC pauses. |
| ML inference | ONNX Runtime (ort) | Run Privacy Filter and GLiNER2 locally on CPU or GPU. No Python dependency in the hot path. |
| Tokenization | HF tokenizers (Rust) | Fast model-input preparation, shared across the detection pipeline. |
| Vault encryption | AES-256-GCM · AES-SIV · FF1 | GCM for general encryption, SIV for deterministic tokens, FF1 (NIST SP 800-38G) for format-preserving values. |
| Key management | Vault Transit / cloud KMS | Envelope encryption. Customer-managed root keys. Automatic rotation. |
| Token registry | PostgreSQL (sqlx) | Deterministic token lookup with per-tenant isolation. Proven at scale. |
| Policy engine | OPA · Cedar | OPA: industry standard, Rego DSL, sub-millisecond decisions. Cedar: typed alternative for compile-time guarantees. |
| Observability | OpenTelemetry-rust | Traces, metrics, and logs over Tokio streams, exportable to any OTEL collector. |
Same Rust binary. Same detection pipeline. Same vault encryption. Pick the topology that matches your security posture — from fully managed cloud to a fully offline air-gapped install with no network calls and no telemetry.
CloakPipe helps your AI application meet regulatory requirements — and the product itself meets the standards needed to be deployable in regulated environments. Each framework maps to what it unlocks for your customers.
| Framework | CloakPipe status | What it enables for customers |
|---|---|---|
| SOC 2 Type II | In progress · Vanta | Cite CloakPipe's report in your own audits. Required for enterprise procurement in healthcare, finance, and legal. |
| HIPAA | BAA available | Demonstrate PHI is masked before reaching model providers. Fulfills the HIPAA de-identification safe harbor. |
| GDPR / DPDP | DPA template · Art. 25/32 | Proof of data minimization. Answer data subject access and deletion requests from the audit trail. Data residency controls. |
| EU AI Act | High-risk · Aug 2026 | Demonstrate personal data is de-identified before high-risk AI processing, with a human-oversight audit trail. |
| PCI-DSS | FPE tokenization | Process payment-related queries without exposing card numbers. No cardholder data stored in plaintext. |
| ISO 27001 | Planned | Required for European and APAC enterprise procurement. ~70% control overlap with SOC 2. |