self-hosted · AGPL-3.0 · docker compose up

Use any cloud LLM. Never leak a client's record.

RedactGate is a redaction firewall that sits between your staff and every cloud LLM. It reversibly tokenizes sensitive data before the call leaves your perimeter, then re-inflates the model's answer on the way back. Raw client data never crosses the wire — and the answer is just as good.

Get started Read the source ↗ one drop-in OpenAI-compatible endpoint

what your associate writes

"Summarize the file for Jane Okafor. Her SIN is 046 454 286 and her card on file is 4111 1111 1111 1111. Email her at jane@acme.co."

what the cloud LLM receives

"Summarize the file for [[NAME_3f]]. Her SIN is [[SIN_7a]] and her card on file is [[CC_b1]]. Email her at [[EMAIL_2c]]."

cloud + local providers, one switch

jurisdiction packs · CA US EU UA IRCC + generic

raw values stored or logged

AGPL

open source · no telemetry

the blocker

Your team already pastes client data into ChatGPT.

A tax associate drops a bank statement into a chat box to get a summary. A paralegal pastes a contract with names and account numbers. They have no safe alternative — so the data is gone, and your compliance officer can't prove it wasn't. RedactGate is the safe alternative: the model still does the work, but the raw record stays inside your perimeter, and every request is logged for the audit.

how it works

Detect, seal, forward, re-inflate, audit.

01 detect

Find the entities

Regex jurisdiction packs + Presidio + optional LLM-NER, evasion-hardened.

02 tokenize

Reversibly seal them

AES-256-GCM vault; the same value maps to the same placeholder all through the request.

03 forward

Send only the safe text

To Anthropic, OpenAI, Gemini, Bedrock, Azure, or a local Ollama — your choice.

04 re-inflate

Restore the answer

Placeholders swap back to real values — stream-safe, even mid-token.

05 audit

Prove it

Hash-chained, append-only log — entity counts only, never raw values.

published benchmark

We measure the cost of redaction, so you don't guess.

A reproducible recall-vs-fidelity benchmark ships in the repo. Detection on the jurisdiction golden sets, regex-only (higher with Presidio enabled):

73–96%

detection recall

90–96%

precision

670+

tests, CI green

13/13

audit findings fixed

what's inside

Built like the security appliance it is.

Reversible token vault

AES-256-GCM, per-session keys, referential consistency — coreference survives, so the model still reasons correctly.

Multi-provider gateway

One AI_PROVIDER switch fans out to Anthropic, OpenAI, Gemini, Azure, Bedrock, DigitalOcean, or local Ollama. No lock-in.

Jurisdiction packs

SIN, BN, GST, SSN, EIN, IBAN, VAT, EDRPOU, UCI and more — en/uk/ru/fr aware, with real validators (Luhn, IBAN mod-97).

Hash-chained audit

Append-only, tamper-evident, zero-raw-value. The export your compliance officer hands the auditor.

Stream-safe

Re-inflation works mid-SSE-stream — a placeholder split across chunks is never emitted half-substituted.

Air-gapped mode

Regex + Presidio + Ollama = fully offline. No cloud, no key, no data leaves the building.

quickstart

Running in two commands.

Point any OpenAI client at it. The provider behind it is your config, not the caller's.

terminal

# clone, set keys, and bring up postgres + redis + api + web
git clone https://github.com/ctmakc/redactgate && cd redactgate
cp .env.example .env   # add your provider key + generate the 3 vault keys
docker compose --profile web up -d

# your existing OpenAI client just changes its base_url:
curl http://localhost:8088/v1/chat/completions \
  -H "Authorization: Bearer $RG_KEY" -H "Content-Type: application/json" \
  -d '{"model":"gpt-4o-mini","messages":[{"role":"user",
       "content":"Summarize: SIN 193 456 787, jane@acme.co"}]}'
# upstream sees [[SIN_xxxx]] / [[EMAIL_xxxx]] — you get the real answer back.