Privacy vault for regulated data

Store PII, PHI, and payment data without keeping plaintext in your database

PIIsafe tokenizes sensitive fields at capture, stores ciphertext in region-pinned vaults, and logs every access to your SIEM. Free plan includes customer-managed keys and audit streaming.

  • Customer-managed keys on all plans
  • US, EU, UK, Canada, APAC
  • SIEM export included
PIIsafe vault workflow diagram

Integrations

Built to integrate across every platform

Pre-built connectors for key managers, identity providers, data warehouses, and payment processors. Anything else via REST API.

Use cases

Three jobs PIIsafe handles

Pass access reviews, respond to DSARs, and keep card data out of your database, without hiring a vault platform team.

Pass your next access review

Append-only audit log with tamper-evident chaining. Stream to Splunk, Datadog, Snowflake, or BigQuery.

Answer a DSAR in one query

Search by subject ID across vaults. Export, redact, or erase with a signed report for regulators.

Keep card data out of your database

Format-preserving tokens replace PANs and SSNs. Plaintext is released only when your payment gateway or support console detokenizes.

How it works

Four steps, every time

1

Capture

Sensitive fields encrypted at the edge before they reach your servers.

2

Tokenize

Vault stores ciphertext. Your app keeps a token, not the value.

3

Policy gate

Detokenization requires identity, MFA, and stated purpose.

4

Audit

Every access recorded and streamable to your SIEM.

Developer experience

First tokenized record in under an hour

Typed SDKs for TypeScript and Python, a CLI, consistent error shapes, and idempotent writes.

See full developer platform

// First tokenized record, typically under an hour
const record = await piisafe.vaults.tokenize({
  vault: "pii-prod",
  fields: { ssn: "123-45-6789" }
});

// Your database stores the token, not plaintext
await db.users.update({
  id: userId,
  ssn_token: record.tokens.ssn
});

AES-256-GCM at rest, TLS 1.3 in transit

Envelope encryption per record. One leaked row does not expose the rest.

You control the master key

BYOK from AWS KMS, GCP KMS, Azure Key Vault, or HashiCorp Vault.

Approve sensitive actions before they run

JIT access, MFA conditions, and multi-sig for key export and vault deletion.

Export logs your auditor can verify

Every read, write, and policy change logged. SIEM export on all plans.

SDKs and HTTP APIs

REST/gRPC APIs and SDKs for Node, Python, Go, Java, Ruby, .NET.

Multi-AZ by default

Cryptographic operations run active-active across availability zones with automatic failover.

Trust

What you can verify today

PIIsafe
SOC 2 Type IIIn progress
ISO 27001In progress
HIPAA + BAAIn progress
Pen-test summaryUnder NDA

Request architecture overview, SIG/CAIQ questionnaires, and pen-test summary under NDA.

security@piisafe.io

Common questions

How long does integration take?

Most teams tokenize their first record within an hour using the SDKs. Production rollouts with policy design typically take one to four weeks.

Do I have to rewrite my services?

No. The drop-in proxy tokenizes inbound requests and detokenizes outbound responses with no code changes. Use the SDKs when you want direct API integration.

Which certifications do you have today?

GDPR DPA is available on supported plans. HIPAA BAA is in progress. SOC 2 Type II and ISO 27001 audits are underway; neither certification has been issued yet. Pen-test summaries and architecture docs are available under NDA. See our compliance roadmap for details.

Get in touch

Start with 100 protected records

Create a vault, tokenize your first field, and wire audit logging before you talk to sales.