Xybern Redact¶

Xybern Redact is a privacy enforcement proxy that sits between your AI agents and any LLM provider. Every message is stripped of personally identifiable information (PII) before it leaves your environment. The LLM works on pseudonymized text. The response is de-anonymized before it reaches your application.

Your agents never need to change their code. You change one line: the base_url.

How It Works¶

Without Redact:
  Agent → LLM   ("Michael Chen at Goldman Sachs signed the NDA…")
                 ↑ real PII in transit, in LLM logs, in vendor training

With Redact:
  Agent → Redact proxy → anonymize → LLM  ("Finley Warren at Cobalt Group signed…")
                       ← de-anonymize ← LLM response
  Application sees the original names restored - LLM never did.

The mapping between real values and pseudonyms is stored per-workspace in an encrypted entity map. The same person always gets the same pseudonym within a workspace, so responses are coherent across multi-turn conversations.

What Gets Anonymized¶

Redact detects and replaces the following entity types depending on your policy configuration:

Entity Type	Examples	Replacement
Person names	`Michael Chen`, `Dr. Sarah Williams`	Consistent pseudonym (`Finley Warren`)
Organisation names	`Goldman Sachs Group Inc.`	Consistent pseudonym (`Cobalt Group`)
Email addresses	`m.chen@goldman.com`	Anonymized email (`morgan@corp-anon.org`)
Phone numbers	`+1 (212) 555-0100`	`(555) 141-0033`
SSNs	`123-45-6789`	`[SSN-14737]`
Credit card numbers	`4111 1111 1111 1111`	`[CARD-REDACTED]`
Dates	`March 12, 2024`	Shifted by configured offset
Financial figures	`$2.4 million`	Scaled by configured factor
Signatures	`/s/ Michael Chen`, `Signed by:`, `CN=…`	Pseudonymized or redacted

Pseudonym generation is deterministic, the same real value always maps to the same pseudonym within a workspace, ensuring LLM responses remain coherent.

Architecture¶

┌─────────────────────────────────────────────────────────────┐
│                        Your Agent                           │
└──────────────────────────┬──────────────────────────────────┘
                           │  POST /redact/v1/chat/completions
                           │  Authorization: Bearer xr_live_...
                           ▼
┌─────────────────────────────────────────────────────────────┐
│                     Xybern Redact Proxy                     │
│                                                             │
│  1. Authenticate API key → resolve workspace                │
│  2. Apply policy (doc_class scoping, strip toggles)         │
│  3. Anonymize messages (entities → pseudonyms)              │
│  4. Forward anonymized request to upstream LLM              │
│  5. Scan LLM output for leakage (re-anonymize if found)     │
│  6. De-anonymize: restore pseudonyms → real values          │
│  7. Log to cryptographic vault (HMAC + chain hash)          │
└──────────────────────────┬──────────────────────────────────┘
                           │
              ┌────────────┴────────────┐
              ▼                         ▼
         Upstream LLM              Redact Vault
         (Anthropic, OpenAI,       (immutable audit log,
          Gemini, DeepSeek…)        Merkle-sealed)

Key Features¶

Policy-driven anonymization Each workspace can have multiple named policies, each targeting a specific document class (legal, healthcare, finance, general). You control exactly which entity types are stripped.

Consistent pseudonyms Entity mappings persist across requests. "Goldman Sachs" is always "Cobalt Group" in your workspace. Multi-turn conversations stay coherent without exposing real data.

Custom entity types Define your own regex patterns per policy, employee IDs, project codenames, custom account numbers, or any domain-specific identifier. Custom entities are applied after all built-in detection.

Streaming support Pass "stream": true to receive responses as Server-Sent Events. Fully compatible with the OpenAI streaming format. Anonymization and leakage scanning complete before the stream begins, so no PII can leak mid-chunk.

Permanent redaction mode A policy toggle that skips the de-anonymization step entirely. Pseudonyms remain in the LLM response, real values never reach your application or database. Useful for training data generation and third-party review workflows.

Active leakage detection After the LLM responds, Redact scans the output for any real values that may have leaked back. Found values are automatically replaced with their pseudonyms before the response reaches your agent.

Leakage webhooks Subscribe to leakage.detected events and receive an HTTP callback the moment leakage is found. HMAC-signed payloads for verified delivery. Route to Slack, PagerDuty, or any SIEM.

Auto document class detection Pass "doc_class": "auto" and Redact infers the document type from content keywords, legal, healthcare, finance, or general. The correct policy is applied automatically without tagging each request.

Multilingual PII detection Redact detects person names in English, French, Spanish, German, Chinese (including surname-first patterns), and Arabic script (including Saudi Gulf names). No language configuration required - all patterns are applied by default.

Entity map TTL Set a workspace-level TTL so pseudonym mappings expire after N days. Expired mappings are pruned on the next request, helping you meet GDPR right-to-erasure and data minimisation requirements.

Batch async API Submit up to 500 messages in a single POST /redact/v1/batch call. Processing runs in the background. Poll the job endpoint or receive a batch.completed webhook when all messages are done. Designed for offline document pipelines.

Healthcare k-anonymity guard For doc_class: healthcare, Redact applies a 2-of-3 quasi-identifier rule: if age, location, and medical condition all appear together, the record is flagged for re-identification risk.

Cryptographic audit vault Every intercepted request is logged with SHA-256 chain hashes (append-only), HMAC-SHA256 record signing, and Merkle tree batch sealing. Any record can be independently proven to be unmodified.

Customer-managed keys The upstream API key and vault signing keys can be encrypted at rest using your own AES-256-GCM key or AWS KMS, ensuring Xybern never holds plaintext credentials.

Supported Upstream Providers¶

Redact routes to any of these providers, you configure which one per workspace:

Provider	Slug	Example Models
Anthropic	`anthropic`	`claude-sonnet-4-6`, `claude-opus-4-7`
OpenAI	`openai`	`gpt-4o`, `gpt-4-turbo`
Google Gemini	`gemini`	`gemini-2.0-flash`, `gemini-1.5-pro`
DeepSeek	`deepseek`	`deepseek-chat`, `deepseek-reasoner`
Mistral AI	`mistral`	`mistral-large-latest`, `open-mixtral-8x22b`
OpenRouter	`openrouter`	`openai/gpt-4o`, `anthropic/claude-3.5-sonnet`
Groq	`groq`	`llama3-70b-8192`, `mixtral-8x7b-32768`
Together AI	`together`	`meta-llama/Llama-3-70b-chat-hf`

Next Steps¶

Quick Start, get running in under 5 minutes
Proxy Endpoint Reference, full API reference including streaming
Policies, configure what gets anonymized, permanent redaction, and custom entities
Webhooks, real-time leakage alerts
Batch API, async document processing for offline pipelines
Vault & Audit Trail, cryptographic record keeping