Philterd

Talk to an Expert

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer to skip the form? Pick a time on our calendar →
or send a message

Please do not enter PII or PHI in this form. If you need to share an example, use a sanitized one.

For teams shipping AI features on regulated data

PII Guardrails for LLM Apps — Without Sending Prompts to a Third-Party API

Your security team won't let you send customer data to OpenAI. Your roadmap says “chatbot in Q3.” Philter AI Proxy closes the gap - a drop-in middleware that strips PII out of prompts before they reach the LLM provider, then puts it back on the way out. Runs in your VPC. Apache 2.0.

  • Drop-in proxy for OpenAI, Anthropic, Bedrock - point your SDK at it, nothing else changes
  • PII stripped before prompts leave your perimeter; optionally scrubbed on responses too
  • RAG ingestion redaction - vector stores can't leak what was never written
  • Training-data prep - aggressive redaction for fine-tuning corpora
Apache 2.0 Runs in your VPC No third-party API HIPAA / GDPR / CCPA ready

Built for the AI privacy patterns showing up in production

  • Chatbots on regulated data
  • RAG over customer documents
  • Internal AI assistants
  • Training-corpus prep
  • Agent tool-call pipelines
  • Voice-AI transcripts

Why AI teams pick Philter AI Proxy

Three failure modes, one engine

Prompts to hosted LLMs, ingestion into vector stores, training corpora - same PII problem in three shapes. Philter handles all three with one policy surface and one audit trail.

Drop-in, not rewrite

Point your existing OpenAI/Anthropic/Bedrock SDK at the proxy URL. The rest of your app doesn't change. How it works.

Reversible by design

Detect & replace PII with deterministic tokens on the way out; restore the original values when the LLM response comes back, so your users still see real names and numbers in the answer.

Defends against embedding inversion

Embedding inversion attacks can reconstruct text from vectors. The fix is to redact before embedding - not after. Philter does that as a first-class ingestion step.

Self-hosted, not someone else's privacy SaaS

The proxy runs in your VPC alongside the rest of your AI stack - not in a third-party tenant. Prompts and responses never leave your perimeter on their way to or from the LLM provider.

Provider-agnostic

Works with OpenAI, Anthropic, Bedrock, Vertex, and self-hosted open source LLMs. Swap providers without re-doing the PII layer; the policy travels with the proxy, not the model.

What we’ll cover on the call

  • Where the PII actually flows: prompts, retrieval context, tool calls, logs, vector stores, training data - we’ll map your real surface, not a generic diagram.
  • The hosted-LLM BAA / DPA chain: which providers have which agreements, what they cover, what they don’t, and where the residual risk sits.
  • Proxy vs. inline integration: which fits your existing AI architecture cleanest, and the trade-offs.
  • Reversible-vs-irreversible redaction: when to use which, and how to keep the user-facing output natural without leaking on the LLM side.
  • A concrete next step: one of three concrete patterns to ship, in priority order.

No code review or sample data needed for the conversation - just an architecture sketch and an honest take on your timeline.

Make security review the easy part of your AI launch

30 minutes with Jeff - bring your AI architecture, leave with a concrete privacy plan that survives security review. Whether or not Philter is the right answer for your stack.

Or deploy Philter yourself →