Privedge
Trust Center

Your auditors need
more than promises.

Here is the evidence — DPA terms, data flow diagrams,
and the infrastructure certifications behind every deployment.

View DPA Terms Request Full Pack →
DPA Template

Data Processing Addendum with all GDPR Article 28 clauses. Ready to sign.

Download DPA →
Data Flow Diagram

Technical architecture showing every hop your data takes — and where PII stops.

View Architecture →
Infrastructure Certs

SOC 2 Type II, ISO 27001, HIPAA-eligible — inherited from Cloudflare.

See certifications ↓
Data Processing Addendum

The key DPA terms,
plain and clear.

Roles

Your organization is the Controller. Privedge is the Processor. We act only on your documented instructions.

Processing purpose

PII anonymization in-transit only. We process prompts to detect and tokenize PII before they reach LLM providers.

Data processed

Audit metadata only — timestamp, pii_types, latency_ms, routed_to. Prompt content is never written to storage.

Sub-processors

Cloudflare Workers (compute), Cloudflare R2 (audit logs, Enterprise only). No other sub-processors.

Retention

Prompts: 0 days. Audit metadata: 30 days (Pro), custom (Enterprise). Everything beyond TTL is permanently deleted.

Technical measures

TLS 1.3 in transit, V8 isolate per request, AES-256 for Edge KV (Enterprise), zero inter-request state.

Breach notification

We notify you within 24 hours of becoming aware of a personal data breach affecting your account.

Deletion on termination

All audit data deleted within 30 days of contract termination. Self-host mode: we hold zero data.

Download DPA Template →

Full legal text with signature fields. Enterprise: we sign a customized version.

Technical Data Flow

Where your data goes.
And where it stops.

Every hop mapped. Every boundary documented.

data-flow — request lifecycle Full doc → 
User App
  │
  │  HTTPS / TLS 1.3  (prompt with PII)
  ▼
Cloudflare Edge Node  ← region closest to user
  │
  │  V8 Isolate spins up (per-request sandbox)
  │  ├── PII scan (regex v1 / NER v2)
  │  ├── Token map created in heap:
  │  │     { "PERSON_1": "María Ortega" }   ← volatile, never persisted
  │  └── Anonymized prompt constructed
  │
  │  HTTPS / TLS 1.3  (anonymized prompt only)
  ▼
LLM Provider API  (OpenAI / Anthropic / etc.)
  │  PII NEVER reaches here ──────────────────┐
  │                                           │
  │  Response with synthetic tokens           │
  ▼                                           │
Cloudflare Edge Node (same isolate)           │
  │  ├── De-tokenize: [PERSON_1] → "María"   │
  │  └── V8 Isolate destroyed → map cleared  │
  │                                           │
  │  HTTPS / TLS 1.3  (real response)        │
  ▼                                           │
User App  ←────────────────────────────────────┘
Boundary 1
User App → Edge

Encrypted. PII present in prompt.

Boundary 2
Edge → LLM

Encrypted. PII replaced with tokens. Clean.

Boundary 3
LLM → Edge → User

Encrypted. Tokens reversed at edge before delivery.

Infrastructure

Certifications you inherit.

Privedge runs on Cloudflare Workers. You get enterprise-grade infrastructure certifications without procuring hardware.

CertificationStatusProviderScope
SOC 2 Type II Active Cloudflare Compute + network layer
ISO/IEC 27001 Active Cloudflare Data center physical security
HIPAA-eligible Active Cloudflare Workers PHI processing workloads
PCI DSS Level 1 Active Cloudflare Network + data in transit
GDPR Compliant Cloudflare + Privedge EU data processing + DPA
SOC 2 Type II Roadmap Privedge Application layer (Phase 5, ~Q4)
For Your Auditors

Three arguments.
Citable in any audit.

GDPR Art. 5.1(c)

Data Minimization

"By masking PII at the infrastructure boundary before transmission to AI providers, the customer complies with the data minimization principle. Only anonymized tokens — containing no identifiable information — are transferred to sub-processors. The personal data never leaves the customer's processing region."

ISO 27001 / Vendor Risk

Third-Party Risk Elimination

"The customer's exposure to AI provider data breaches is structurally eliminated. Even a complete compromise of the AI provider's systems would yield only synthetic tokens (e.g., [PERSON_1], [CONDITION_1]), which carry zero identifying information and cannot be reverse-engineered without the per-request token map — which is destroyed at request completion."

GDPR Art. 17

Right to Erasure — Native

"Because personal data was never transferred to any AI provider's storage, inference logs, or training pipeline, the customer's obligation under Art. 17 with respect to AI-processed data is satisfied by architecture. There is no data to erase from third-party AI systems because no data was ever present."

Ready to close your security review?

We'll send the signed DPA, infrastructure certifications, and walk your security team through the architecture.

Request Compliance Pack → Download DPA →