Privedge
Compliance

Compliance by architecture.
Not by promise.

Every request inspected at the edge.
No data stored. No exceptions.

HIPAA Ready
GDPR Ready
PCI DSS Ready
CCPA/CPRA Ready
LGPD Ready
ISO 27001 Inherited
SOC 2 Roadmap
Infrastructure

Certified infrastructure.

Your data is processed on Cloudflare-certified infrastructure. The compute and network layer is already audited.

V8 Isolates

Each request runs in an isolated CPU/memory sandbox. Zero shared state between requests.

TLS 1.3

All traffic encrypted in transit. No plaintext data ever traverses the network.

AES-256

Tokens encrypted at rest in Edge KV. Accessible only within the request's isolate.

DDoS Mitigation

Attacks absorbed by Cloudflare's global network before reaching the Worker.

WAF

Web application firewall. Filters malicious traffic at the edge before it reaches the proxy.

Anycast Routing

300+ global edge nodes. Traffic routed to the closest node, minimising latency and exposure.

Cloudflare Trust Hub — Compliance Resources
Anonymization

How we protect every request.

Every prompt goes through five phases before reaching the AI provider — PII never makes it there.

01
Request received

Edge Worker starts a V8 isolate. Zero disk access.

02
PII detected

Regex + NER identify names, emails, IDs. Replaced with synthetic tokens in memory.

03
Clean prompt → LLM

The AI provider only receives anonymised text. Real PII never leaves the edge.

04
Response de-tokenised

The same isolate swaps tokens back. The user receives the natural response.

05
Isolate destroyed

The V8 isolate is torn down. All in-memory data erased. No persistence between requests.

Original prompt contains PII
Draft a report for patient María Ortega, ID 53412987Z, email [email protected].
PRIVEDGE ANONYMISES
What the LLM receives no PII
Draft a report for patient [PERSON_1], ID [ID_1], email [EMAIL_1].

The substitution is reversible only within the same isolate that processed the request. The isolate is destroyed on completion — exfiltrating the mapping is structurally impossible.

GDPR Art. 17 — Right to Erasure

Native compliance
by architecture.

The hardest GDPR challenge with AI: how do you delete a user from a model trained on their data? With Privedge, that problem never exists.

"Your users can't be un-forgotten from an AI model that never learned their data. Privedge satisfies Art. 17 by construction."

Vendor Risk Management

OpenAI is breached.
What does the attacker get?

Depends on whether you were using Privedge.

Without Privedge

With Privedge

name Ana García
name [PERSON_1]
diagnosis diabetes type 2
diagnosis [CONDITION_1]
IBAN ES91 2100 0418
IBAN [FINANCIAL_1]
doctor Dr. Carlos Ruiz
doctor [PERSON_2]

GDPR notification within 72h required.

Empty tokens. No notification required.

Need a DPA or a custom
compliance report?

We'll send audit documentation, sign a DPA, and walk your security team through the architecture.

See Trust Center →