Privacy vault for regulated data
Store PII, PHI, and payment data without keeping plaintext in your database
PIIsafe tokenizes sensitive fields at capture, stores ciphertext in region-pinned vaults, and logs every access to your SIEM. Free plan includes customer-managed keys and audit streaming.
- Customer-managed keys on all plans
- US, EU, UK, Canada, APAC
- SIEM export included
Integrations
Built to integrate across every platform
Pre-built connectors for key managers, identity providers, data warehouses, and payment processors. Anything else via REST API.
Use cases
Three jobs PIIsafe handles
Pass access reviews, respond to DSARs, and keep card data out of your database, without hiring a vault platform team.
Pass your next access review
Append-only audit log with tamper-evident chaining. Stream to Splunk, Datadog, Snowflake, or BigQuery.
Answer a DSAR in one query
Search by subject ID across vaults. Export, redact, or erase with a signed report for regulators.
Keep card data out of your database
Format-preserving tokens replace PANs and SSNs. Plaintext is released only when your payment gateway or support console detokenizes.
How it works
Four steps, every time
Capture
Sensitive fields encrypted at the edge before they reach your servers.
Tokenize
Vault stores ciphertext. Your app keeps a token, not the value.
Policy gate
Detokenization requires identity, MFA, and stated purpose.
Audit
Every access recorded and streamable to your SIEM.
Developer experience
First tokenized record in under an hour
Typed SDKs for TypeScript and Python, a CLI, consistent error shapes, and idempotent writes.
// First tokenized record, typically under an hour
const record = await piisafe.vaults.tokenize({
vault: "pii-prod",
fields: { ssn: "123-45-6789" }
});
// Your database stores the token, not plaintext
await db.users.update({
id: userId,
ssn_token: record.tokens.ssn
});AES-256-GCM at rest, TLS 1.3 in transit
Envelope encryption per record. One leaked row does not expose the rest.
You control the master key
BYOK from AWS KMS, GCP KMS, Azure Key Vault, or HashiCorp Vault.
Approve sensitive actions before they run
JIT access, MFA conditions, and multi-sig for key export and vault deletion.
Export logs your auditor can verify
Every read, write, and policy change logged. SIEM export on all plans.
SDKs and HTTP APIs
REST/gRPC APIs and SDKs for Node, Python, Go, Java, Ruby, .NET.
Multi-AZ by default
Cryptographic operations run active-active across availability zones with automatic failover.
Trust
What you can verify today
Request architecture overview, SIG/CAIQ questionnaires, and pen-test summary under NDA.
security@piisafe.ioCommon questions
How long does integration take?
Most teams tokenize their first record within an hour using the SDKs. Production rollouts with policy design typically take one to four weeks.
Do I have to rewrite my services?
No. The drop-in proxy tokenizes inbound requests and detokenizes outbound responses with no code changes. Use the SDKs when you want direct API integration.
Which certifications do you have today?
GDPR DPA is available on supported plans. HIPAA BAA is in progress. SOC 2 Type II and ISO 27001 audits are underway; neither certification has been issued yet. Pen-test summaries and architecture docs are available under NDA. See our compliance roadmap for details.
Get in touch
Start with 100 protected records
Create a vault, tokenize your first field, and wire audit logging before you talk to sales.