BiVelio Privacy Gateway
Your data never reaches the model.
BV-PRGA is a fail-closed DLP frontier that detects and redacts PII and secrets before any prompt, tool call or document leaves your perimeter for OpenAI, Anthropic or anyone else. Self-hosted. EU-resident. It never fails open.
What it catches
Four detection layers, one frontier.
Structured identifiers are gated on real checksums, so false positives — and the over-blocking they cause — stay near zero. Secrets are treated as incidents, not personal data.
Structured identifiers
DNI/NIE/NIF/CIF, IBAN (mod-97), cards (Luhn), ES/AD phones, email, IPv4 — every match validated by its checksum, then reversibly tokenised so the value round-trips: zero data loss.
Secrets & keys
OpenAI/Anthropic/AWS/GCP/GitHub/Stripe keys, JWT (header-verified), PEM private keys, connection strings. Detected → blocked → treated as compromised.
Names & places (NLP)
Multilingual Presidio NER for people and locations that have no structural signature — the fuzzy long tail that regex can't reach.
Tenant dictionaries
Codenames, unannounced clients, internal labels — the confidential data no generic model knows about, declared per tenant.
| Provider surface | Inspected — including the parts others miss |
|---|---|
| /v1/chat/completions | content, vision text, tool_calls[].function.arguments (parsed JSON, recursive), legacy function_call, message name, user, metadata |
| /v1/responses | instructions, input[] walked recursively, tool outputs, function args, metadata |
| /v1/messages | system, text, thinking, tool_use.input (recursive), tool_result, tools, metadata |
| /v1/embeddings | input (string or list), user |
| any other path | DENIED — no catch-all. New endpoint = new adapter + tests. |
Measured, not claimed
Numbers reproduced from code.
The deterministic layer on a seeded, multilingual corpus with hard negatives. Run it yourself: make benchmark.
Contextual-PII (NLP) layer, reported honestly: oracle recall 0.99, auto F1 0.94, combined residual leak ~3.25% — we do not claim 100% on free-text names. *False-positive rate near zero because every structured match passes a checksum.
Try it live
See it redact — and put it back.
Paste a support ticket, a code snippet, a customer record. Watch sensitive values get pseudonymised or redacted before they'd reach the model, then restored on the way back — all in your browser. Nothing you type leaves this page.
Hola, soy Marta y necesito ayuda con mi cuenta. Mi correo es [BV:EMAIL:ee14950f10] y mi teléfono [BV:PHONE_ES:27278110ce]. Adjunto mi DNI [BV:SPANISH_DNI:3524006bcd] y el IBAN [BV:IBAN:9629b822e9] para la verificación.
Hola, soy Marta y necesito ayuda con mi cuenta. Mi correo es marta.ruiz@empresa.es y mi teléfono +34 612 345 678. Adjunto mi DNI 12345678Z y el IBAN ES9121000418450200051332 para la verificación.
This runs the gateway's deterministic layer (checksum-gated IDs, IBAN mod-97, Luhn, secrets) ported to your browser — the same algorithms the server runs, with 0 values leaving your device. Names & free-text PII are the licensed NLP layer, not shown here.
What your team sees
A dashboard that proves protection — without ever seeing your data.
Every panel is built from value-free audit events: entity counts and decisions, never a single prompt, value or token. The same events are what we meter for billing.
Entities detected · last 24h (by type)
Decisions
Where this goes
The roadmap we're executing.
Two tracks in parallel: the detection engine (technical) and the commercial control plane (CP). Coverage and safety first, then depth.
Engine — technical phases
Fail-closed core + deterministic detection + anti-bypass
Adapters, recursive tool-arg walking, checksum-gated IDs, secrets, redaction/pseudonymization vault, value-free audit.
Contextual PII (Presidio)
Multilingual NER integrated & evaluated with honest caveats. Next: tune on a real internal corpus.
Output-side DLP / egress rails
Scan tool outputs, URLs, SQL and webhook payloads. Stops prompt-injection exfiltration.
Managed rules & hardening
Threat-intel feeds, clustered encrypted vault, RAG guardrails, batch/file adapters, SOC 2.
Control plane — commercialization
Offline licensing (Ed25519)
Tiers, entitlements, grace, fail-closed-safe. An expired license never disables protection.
Licensing service + metering ingest
FastAPI issue/validate/revoke; value-free usage rolled up per org. The hard parts already exist.
Billing & signup
Keycloak orgs/seats, Hyperswitch per-seat subscriptions, dashboard, pricing page.
Managed CP, platform, enterprise
Rule distribution, suite SSO & unified billing, SAML, private/on-prem, compliance.
Pricing
Free to self-host. Pay for the managed edge.
The deterministic engine is free and fully offline. Paid tiers unlock the NLP layer, dashboards and managed rules. No valid license degrades to free — protection never turns off.
- Deterministic IDs + secrets
- Redaction & pseudonymization
- Fail-closed pipeline
- Community support
- Everything in Free
- NLP contextual-PII layer
- Audit dashboards
- Managed rule updates
- SSO & roles
- Policy distribution
- Higher caps · SLA
- SAML · private control plane
- Threat-intel feeds
- SOC 2 · DPA · support
Does $4 / seat sustain it?
Yes — because we move zero tokens.
Detection runs on the customer's CPU; models run locally. Our infra only carries offline license checks and value-free telemetry. Cost-to-serve is a rounding error against revenue.
The caveat we're honest about: card fees are ~10% of a $4 charge. We mitigate with annual billing (~3.5%) and Hyperswitch routing to cheaper EU methods (SEPA).
You never pre-pay for scale — infra tracks revenue
| Stage | Paid seats | Infra / mo | Revenue / mo | Infra % |
|---|---|---|---|---|
| Design partners | 0–100 | €10–40 | $0–400 | covered |
| Early traction | 100–1k | €50–200 | $0.4–4k | ~5% |
| Growth | 1k–20k | €0.3–1.5k | $4–80k | ~2–4% |
| Scale | 20k–200k | €3–12k | $80–800k | <1.5% |
Ready when you are
Ship AI features without shipping your data.
Self-host the free tier in five minutes. Add a license when you want the managed edge. Your prompts never leave — that's the whole point.