FAQ
Answers for engineering, security, and compliance
Answers to the questions security and procurement teams ask during vendor review.
About PIIsafe
Product overview and deployment options.
What is PIIsafe?+
A platform to encrypt, tokenize, control access to, and audit sensitive data (PII, PHI, PCI, and credentials) through one API instead of building an internal vault team.
Who is PIIsafe built for?+
Teams that handle regulated customer data: fintech, healthtech, HR platforms, and any product storing SSNs, health records, or payment details.
How is PIIsafe different from a vault we build ourselves?+
Homegrown vaults often start as column encryption and grow into a platform team owning rotation, tenant isolation, audit integrity, and DSAR workflows. PIIsafe ships that as a product.
Is PIIsafe SaaS, single-tenant, or self-hosted?+
All three: multi-tenant SaaS, dedicated single-tenant SaaS, and self-hosted for regulated workloads. BYOK and HYOK supported in each.
What is included on the free plan?+
100 protected records, customer-managed keys, audit log streaming, region pinning, and multi-sig for sensitive operations. No credit card required to start. There are no per-seat charges.
What is tokenization, and how is it different from encryption?+
Encryption transforms data so only someone with the key can read it. Tokenization replaces sensitive values with a reference token your app stores instead. PIIsafe stores the encrypted value in a vault; your database keeps the token. You detokenize only when policy allows.
Security & encryption
Encryption, key storage, and who can read plaintext.
What encryption does PIIsafe use?+
TLS 1.3 in transit. AES-256-GCM at rest with envelope encryption: unique data key per record, wrapped by your master key.
Where are encryption keys stored?+
You choose: platform-managed, customer-managed (BYOK from AWS/GCP/Azure/HashiCorp), or hold-your-own-key in your HSM.
Does PIIsafe ever see plaintext?+
In tokenization flows, sensitive fields are encrypted at the edge and only tokens are stored. In some storage flows, plaintext exists briefly in encrypted memory during processing, never written to disk or logs.
What happens if a database backup leaks?+
Backups contain ciphertext and wrapped keys. Without your master key, data cannot be decrypted. Per-record keys limit blast radius.
Has PIIsafe been pen-tested?+
Yes. Email security@piisafe.io for the latest summary under NDA. SOC 2 Type II audit is underway.
What is BYOK and HYOK?+
BYOK (bring your own key) means your master encryption key lives in your cloud KMS (AWS, GCP, Azure, or HashiCorp Vault). HYOK (hold your own key) means the master key stays in your HSM and PIIsafe cannot decrypt without your authorization.
Do you sell customer data or share it with advertisers?+
No. Customer data is never sold, shared with ad networks, or used to train AI models. This is written into the DPA. PIIsafe does not contact your customers unless you configure it to.
Compliance & data residency
Compliance frameworks supported and where your data is stored.
Do you have SOC 2 or ISO 27001 certification today?+
No. Both audits are underway and neither certification has been issued yet. Architecture documentation, pen-test summaries, and pre-filled vendor questionnaires are available under NDA while the audits complete. See our compliance roadmap for current status.
Which certifications and agreements are available today?+
GDPR DPA is available on supported plans. HIPAA BAA is in progress. SOC 2 Type II and ISO 27001 audits are underway; neither certification has been issued yet. Pen-test summaries, architecture docs, and pre-filled SIG and CAIQ questionnaires are available under NDA.
Which compliance frameworks does PIIsafe support?+
Controls aligned with SOC 2 Type II, HIPAA, ISO 27001, GDPR, CCPA, DPDP, and PIPL. Audit exports you can attach to reviews are available today.
How do I request the security pack?+
Email security@piisafe.io. We typically deliver the security pack the same day under NDA. It includes the architecture overview, pen-test summary, cryptography design, sub-processor list, data-flow diagrams, and pre-filled SIG and CAIQ questionnaires.
Will you sign a DPA?+
Yes. A GDPR-aligned DPA is available on supported plans, alongside region pinning and DSAR tooling.
Will you sign a BAA?+
HIPAA-aligned configuration and BAA support are in progress.
Can I keep data in a specific region?+
Yes. Vaults pinned to US, EU, UK, Canada, or APAC. Data, replicas, and backups stay in-region unless you explicitly move them.
How do you handle subject access and deletion?+
Search by subject across vaults, export in structured format, redact, or erase. Erasure uses cryptographic shredding with a signed report.
Integration & developer experience
SDKs, proxy, and typical rollout timelines.
How long does integration take?+
First encrypted record within an hour for most teams. Production rollouts with policy and IdP wiring: one to four weeks.
Do I have to rewrite my services?+
No. The drop-in proxy tokenizes inbound requests and detokenizes outbound responses with no code changes. Use the SDKs when you want direct API integration.
Which languages do you support?+
Typed SDKs for TypeScript/Node and Python, plus a command-line tool, are available today; a Go SDK is next. REST and gRPC cover everything else.
What is the drop-in PII proxy?+
A network proxy that sits in front of your existing services. It tokenizes sensitive fields on inbound requests and detokenizes on outbound responses, so you do not have to rewrite application code to get started.
AI & sensitive workloads
Redacting PII before it reaches LLM providers.
Can I protect data sent to LLMs?+
Yes. Prompt-time SDK scrubs PII before third-party models and reinserts values in responses.
Does PIIsafe train on my data?+
No. Not for our models or third parties. Written into the DPA.
Reliability, support & operations
Uptime targets, disaster recovery, and how to reach us.
What is platform uptime?+
99.99% target for hosted product. Multi-AZ active-active for crypto operations. Status page published.
How do I report a security issue?+
Email security@piisafe.io. Acknowledgment within one business day, triage within three.
How is breach notification handled?+
If unauthorized vault access is detected, you hear from an engineer within 24 hours of detection with what we know and next steps.
Can we export our data and migrate off PIIsafe?+
Yes. Export tokens, ciphertext, and audit logs in migration-friendly formats. You can leave at any time without a lock-in period.
How are sub-processors communicated?+
We publish the sub-processor list in the security pack. Material changes are announced at least 30 days before they take effect.
Get in touch
Question we missed?
Email support@piisafe.io with your architecture or compliance question. Usually a same-day reply from engineering.