Provable, not promised
Formal ε-budgets backed by mathematical proof. "Differentially private" means something specific here: not a marketing word, but a measurable property of the algorithm.
Differential privacy for PII analytics
Philter Diffuse
Philter Diffuse applies differential privacy to PII counts and aggregations, so you can answer questions like "how many SSNs flowed through this pipeline last month" without exposing individuals. Statistical utility without identification risk, backed by math, not best effort.
Why differential privacy
Membership-inference resistant
Adding or removing one record from the input changes the output by a bounded amount. An adversary with the result can't tell whether a specific individual was in the dataset.
Aggregate queries only
Counts, sums, averages: never raw records. The output preserves the population-level signal you need for analytics while making it impossible to reconstruct any single contributor.
Tunable budget
Lower ε means more noise and stronger privacy; higher ε means less noise and stronger utility. Pick the trade-off that fits your regulatory posture, per query.
Drop-in for Philter telemetry
Point Philter Diffuse at your Philter or Phield logs to run safe analytics on your own redaction telemetry. Measure pipeline behavior without re-identifying the people the data was supposed to protect.
Open source
Every line of the noise calibration, sensitivity analysis, and budget accounting is inspectable. The math is auditable, the implementation is auditable, the privacy guarantee is reproducible.
Frequently asked questions
If something here isn’t covered, get in touch and we’ll answer.
What is Philter Diffuse?
Philter Diffuse applies differential privacy to PII counts and aggregations. It lets you answer questions like "how many SSNs flowed through this pipeline last month" while making it provably hard to tell whether any single individual was in the underlying data. You get statistical utility without identification risk, backed by math rather than best effort.
What is differential privacy, briefly?
Differential privacy is a formal guarantee: adding or removing one record from the input changes the output by at most a bounded amount, set by a privacy budget (epsilon). Philter Diffuse calibrates noise to that budget, so an adversary holding the result can't confidently infer whether a specific person contributed to it.
What kinds of questions can I ask it?
Aggregates only: counts, sums, and averages, never raw records. The output preserves the population-level signal you need for analytics while making it impossible to reconstruct any single contributor.
How do I choose the privacy strength?
The trade-off is set by the noise scale (epsilon). Lower epsilon means more noise, stronger privacy, and less utility; higher epsilon means less noise, weaker privacy, and more utility. You pick the balance that fits your regulatory posture, and you can pick it per query.
How does Philter Diffuse fit with the rest of the toolkit?
Is Philter Diffuse open source?
Yes. The noise calibration, sensitivity analysis, and budget accounting are all inspectable, open source under the Apache License, version 2, on GitHub. The math is auditable, the implementation is auditable, and the privacy guarantee is reproducible.
Ready to use Philter Diffuse?
Grab the open source and run it yourself, or work with our team directly. Pick the path that fits.