Privedge — Technical Architecture v1.0 Save as PDF
Technical
Architecture
Security Engineering Reference
Cloudflare Workers V8 Isolates TLS 1.3 AES-256
Version 1.0 · June 8, 2026
For security engineering review — not for public distribution

01Request Lifecycle

Every AI inference request passes through the following stages. Each stage is described with its data handling properties.

┌─ CUSTOMER TRUST BOUNDARY ─────────────────────────────────────────┐ │ Customer App │ │ POST /v1/chat/completions │ │ Authorization: Bearer {privedge_key} │ ▼ └────────────────────────────────────────────────────────────────────┘ │ HTTPS / TLS 1.3 ┌─ PRIVEDGE / CLOUDFLARE EDGE ──────────────────────────────────────┐ │ Cloudflare Worker (V8 Isolate — per-request sandbox) │ │ │ ├─► [1] Auth — validate Bearer token │ ├─► [2] PII Scan — regex / NER detection │ ├─► [3] Tokenize — replace PII with [TYPE_N] tokens │ ├─► [4] Map created in V8 heap: { "PERSON_1": "..." } │ │ │ │ HTTPS / TLS 1.3 │ ▼ │ ─ ─ ─ AI PROVIDER BOUNDARY ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ │ OpenAI / Anthropic / Gemini API │ │ Receives: "[PERSON_1] reports [CONDITION_1]..." │ │ PII = NOT PRESENT │ ▼ │ ├─► [5] LLM response contains tokens │ ├─► [6] De-tokenize in SAME V8 isolate │ ├─► [7] V8 isolate terminates → heap cleared → map destroyed │ │ └────────────────────────────────────────────────────────────────────┘ │ HTTPS / TLS 1.3 Customer App receives de-tokenized response

02Token Map Lifecycle

The token map is the only artifact linking synthetic tokens to real PII. Its lifecycle is constrained by the V8 isolate execution model.

// Pseudocode: token map lifecycle within a single V8 isolate

async function handleRequest(request: Request): Promise<Response> {
  // V8 isolate starts fresh — zero shared state with any prior request
  const tokenMap = new Map<string, string>()  // lives ONLY in this heap

  const body = await request.json()
  const { anonymized, map } = piiScanner.tokenize(body.messages, tokenMap)
  // tokenMap: { "PERSON_1": "María Ortega", "ID_1": "12345678A" }
  // anonymized: "Hello [PERSON_1], your ID is [ID_1]..."

  const llmResponse = await forwardToProvider(anonymized)
  // llmResponse: "Dear [PERSON_1], we have reviewed [ID_1]..."

  const restored = piiScanner.detokenize(llmResponse, tokenMap)
  // restored: "Dear María Ortega, we have reviewed 12345678A..."

  // After return: isolate GC'd → heap freed → tokenMap = gone
  // No KV write. No DB write. No log of PII values.
  return new Response(JSON.stringify(restored))
}

Security property: The token map is bound to a single V8 isolate, which is bound to a single HTTP request. There is no mechanism by which the token map can be accessed after the response is returned — not by Privedge engineers, not by Cloudflare, and not by any external attacker.

03Data Flow & Trust Zones

ZoneWhat entersWhat exitsPII present?
Customer app User input (raw) Prompt with PII Yes — customer's responsibility
Privedge edge (Worker) Prompt with PII Anonymized prompt In-memory only, sub-millisecond
AI Provider Anonymized prompt (tokens only) Response with tokens No — never receives real PII
Privedge audit log Request metadata No — metadata only

04Encryption

In transit

At rest

05V8 Isolate Sandbox

Privedge runs on Cloudflare Workers, which uses V8 — the same JavaScript engine as Chrome — in a heavily sandboxed environment.

Important: Cloudflare Workers uses V8 isolates, NOT containers or VMs. Startup ~0ms. Security model analogous to browser tab isolation — each request is its own sandbox with no shared state.

06Audit Log Schema

For Pro and Enterprise tiers, Privedge writes a metadata record per request. This record contains zero prompt content and zero PII values.

// AuditLog schema — stored in R2 (Enterprise) or 30-day rolling (Pro)
interface AuditLog {
  request_id:   string    // UUID — no PII
  timestamp:    string    // ISO 8601
  customer_id:  string    // hashed
  routed_to:    "openai" | "anthropic" | "gemini" | ...
  pii_types:    string[]  // ["PERSON","EMAIL"] — categories, NOT values
  pii_count:    number
  latency_ms:   number
  compliance:   string    // "gdpr" | "hipaa" | "ccpa" | "lgpd"
  model:        string
  region:       string    // Cloudflare colo: "MAD" | "FRA" | "IAD"

  // NEVER logged: prompt_content, response_content, pii_values, user_id
}

07Self-host Architecture

Privedge is MIT licensed. Organizations with strict data sovereignty requirements deploy the Worker in their own Cloudflare account.

Customer's Cloudflare Account ┌─────────────────────────────────────────────────────┐ │ Privedge Worker (deployed via Wrangler CLI) │ │ │ Workers Secrets: { LLM_PROVIDER_KEY, ... } │ │ │ Optional: Workers KV (audit logs, AES-256 at rest) └─────────────────────────────────────────────────────┘ In self-host mode: - Privedge (company) has ZERO access to any data - No outbound calls to privedge.io infrastructure - Customer controls all secrets, logs, config - Billing: $0 (MIT license) 
# 1. Clone the MIT-licensed repo
git clone https://github.com/privedge/privedge

# 2. Set your LLM provider secret
wrangler secret put LLM_PROVIDER_KEY

# 3. Deploy to your Cloudflare account
wrangler deploy

# 4. Point your app at your Worker URL
#    PRIVEDGE_BASE_URL=https://privedge.your-zone.workers.dev

Data sovereignty: In self-host mode all processing occurs in the customer's own Cloudflare account. Privedge (the company) is not a sub-processor in this deployment model.

Privedge Technical Architecture v1.0 — June 8, 2026 [email protected] · privedge.io/trust