PII Firewall · Reversible Anonymisation · Full Egress Audit
Use Claude, GPT and Gemini. Without the exposure.
Faheem Shield is a local gateway in front of the frontier models your teams already want. Personal and sensitive data is swapped for reversible tokens before any prompt leaves, restored on the answer, and every call is logged. If detection is uncertain, nothing is sent.
Your choice of frontier model, configured at deployment.
[09:41:02]pii_detected · 3 masked→ claude
[09:41:06]restored · response returned· lossless
[09:41:10]clean · allowed→ gpt
[09:41:14]rag_retrieval · on-prem index· 0 docs sent
[09:41:18]pii_detected · [IBAN_1] [PHONE_1]→ gemini
[09:41:22]uncertain_detection · BLOCKED· fail closed
[09:41:26]secret_screen · credentials removed→ claude
Deployment model
The one tier where data leaves. On your terms.
Shield exists for workloads that want top-tier frontier model quality and cannot send raw personal data to an external provider. It is honest about the trade: requests do leave, but only after the gateway has stripped what must not.
- A local privacy gateway sits in front of any external model. Nothing goes around it.
- Your documents never make the trip: an on-premises RAG knowledge base is the source of truth, retrieval runs locally, and only the masked prompt leaves.
- Names, national IDs, account numbers, cards and phone numbers are replaced with reversible tokens before egress, in Arabic and English.
- Responses come back with the real values restored, exactly, on your side of the boundary.
- Policy controls govern what may leave, with optional human approval of the masked preview before sensitive sends.
- Every masked egress is written to the tamper-evident black box, with counts of what was masked.
Built with the Gulf's data protection regimes in mind: the compliance engine maps and scores its controls against all six states' frameworks, live.
SHIELD // GATEWAY_PROFILE
- DETECTIONLOCAL · AR + EN
- TOKENSREVERSIBLE
- ON_UNCERTAINTYFAIL CLOSED
- HUMAN_APPROVALOPTIONAL GATE
- EGRESS_LOGBLACK BOX
- SPENDMETERED
Where your data goes
Masked on the way out. Restored on the way back.
The external model sees tokens, never people, and it never sees your documents at all: retrieval runs against your on-premises knowledge base before the masked prompt goes out. Your team sees real answers about real records, because the gateway restores every value on return.
Your team
real names · real accounts
Shield gateway
PII swapped for tokens · uncertain? not sent
RAG knowledge base
your documents · never uploaded
Black box
every masked send recorded
External frontier model
sees [PERSON_1], [IBAN_1], [PHONE_1]. Never the real values.
What you get
A redaction layer you can audit.
Shield is built like security software, not a plugin: deterministic checks where they are possible, fail-closed behaviour where they are not.
Structured identifiers, caught cold
Emails, phone numbers (including bare GCC local formats), IBANs, national IDs, payment cards and money amounts are detected with deterministic, checksum-validated rules. This is the validated floor of the system.
Arabic-aware by design
Detection runs locally in Arabic and English. Arabic-Indic numerals are normalised and hidden control characters stripped, so obfuscated identifiers cannot slip past the gate.
Fail closed, never open
If a detector errors, a required check does not run, or a rescan of the masked text still finds anything, the request is not sent. Uncertainty stops egress; it never waves it through.
A human can hold the gate
Sensitive sends can require sign-off. The reviewer sees the masked preview, so the approval step itself never exposes raw personal data.
Reversible, session-scoped tokens
Each value becomes a stable token like [PERSON_1] or [IBAN_1], mapped in a local vault and restored losslessly on return. The mapping never leaves your infrastructure.
A full record of what left
Every masked egress lands in the tamper-evident black box with per-category counts, and external model spend is metered. You can always answer: what left, when, and with what removed.
Who it is for
Frontier quality, on real work.
The workloads teams route through Shield on day one, under a regulator who will ask what left.
- Drafting and review: board papers and correspondence, with names and accounts tokenised
- Coding assistance: prompts screened for secrets and credentials before they leave
- Analysis over customer records, with identities masked on the way out and restored on return
- Frontier answers for teams still ahead of a full sovereign deployment
Under the hood
Honest boundaries, stated plainly.
Anonymisation reduces exposure. It does not make external AI sovereign, and we will never tell you it does. What Shield guarantees is the gate: personal data is stripped before egress or the request does not leave.
The other tiers
Same platform. Different boundary.
Shield is the pragmatic tier: external AI with a sovereign redaction layer. When workloads must never leave at all, the sovereign tiers keep everything home.
Questions, answered
Faheem Shield, in plain terms.
What counts as PII, and how is it detected?
Structured identifiers, including emails, phone numbers, IBANs, national IDs, payment card numbers and money amounts, are caught with deterministic, checksum-validated rules. Names, organisations, roles and similar free-text entities are detected by a language model running locally on your infrastructure, and the gate is exercised by a dedicated adversarial test suite that tries to smuggle identifiers past it. Detection never uses an external service.
Does it handle Arabic personal data?
Yes. Detection runs in Arabic and English, Arabic-Indic numerals are normalised so digits cannot be disguised, and hidden control characters are stripped before checking. Restored responses keep the original text exactly.
Is the anonymisation really reversible?
Yes. Each detected value is replaced with a stable token and the mapping is kept in a local, session-scoped vault. When the external model responds, the gateway swaps the tokens back for the real values, losslessly, on your side. The mapping never leaves your infrastructure.
What happens if detection is uncertain?
The request is not sent. The gate fails closed: if any detector errors, a required check does not run, or a final rescan of the masked text still finds something, egress stops and the send can be escalated to a human who reviews the masked preview. Uncertainty never defaults to sending.
Do our documents get uploaded to the external models?
No, never. Your documents live in an on-premises RAG knowledge base that acts as the source of truth: indexing, retrieval and citation all run on your infrastructure. The external model only ever sees the masked prompt text; the documents themselves never leave.
What is logged?
Every masked egress is written to the same tamper-evident, hash-chained black box used across Faheem, with counts of what was masked in each category, and external model usage is metered. You get a provable record of exactly what left and what was removed first.
Does Shield make external AI sovereign?
No, and we will not claim it does. Requests do leave your boundary; that is the point of the tier. Shield reduces exposure by guaranteeing personal data is stripped before anything goes, and by recording everything that went. For workloads that must never leave at all, use Faheem Sovereign or Private Cloud.
Frontier models, with a sovereign redaction layer.
Book a demo and watch the gateway strip a document of every identifier, send it, and restore the answer, with the audit log recording each step.