Is OpenRedaction free?

Yes, the OpenRedaction library is free and open-source. Use it locally or self-host with no fees. Enterprise support and custom deployments are available via contact.

What is the difference between regex mode and AI mode?

OpenRedaction uses 500+ tested regex patterns for fast, deterministic PII detection. It works completely offline and is free. You run it in your own environment via the npm library.

Does OpenRedaction store my data?

When you use the open-source library, your data never leaves your environment. We do not operate a hosted service that processes or stores your text. Processing runs in your process only.

How do I get enterprise support?

OpenRedaction is open source and self-hostable. For enterprise support, custom deployments, or SLAs, contact us via the Enterprise page or contact form.

PII Detection for AI: How to Safely Use User Data with LLMs

Large Language Models (LLMs) are extraordinary at handling messy, unstructured text. They effortlessly parse incomplete sentences, analyze context, and synthesize fluent replies—but that same flexibility makes them eager to absorb anything passed their way: names, email addresses, national IDs, financial details, or confidential documents.

Without strict boundaries, your AI system can unintentionally become a privacy sink—logging sensitive content across model pipelines, traces, or fine-tuning datasets. The solution is not blind trust, it is visibility and repeatable redaction layers built directly into every boundary of your data flow.

This guide explores where Personally Identifiable Information (PII) hides within AI systems, how to conceptualize risk, and how modern detection frameworks such as OpenRedaction and our upcoming OpenAI and Express.js packages fit into secure workflows for prompts, retrieval systems, and observability logs.

1. The AI Privacy Problem: Unstructured Risk Everywhere

The AI development stack is inherently porous. Every message, document, or vector embedding can pass through multiple layers of software, from gateways and middlewares to third-party APIs. Each layer presents unique opportunities for accidental data exposure.

Common Injection Points

Inbound streams: User prompts, uploads, and pasted exports (CSV, DOCX, or CRM snapshots).
Processing layers: System logs, traces, APM instrumentation, and replay tools used for debugging.
Storage: Vector databases, custom embeddings, RAG indexes, and training sets retaining raw payloads.
Outbound channels: Model-generated responses that echo user prompts, retrieved snippets, or internal context.

One interaction can fan out through half a dozen network boundaries, cloud storage, caching layers, message queues, and analytics systems. Treat the first hop (typically the API gateway or Express.js middleware) as your critical control plane. That is where redaction must begin.

2. What You Are Actually Protecting Against

LLM privacy challenges are rarely about malicious intent, they stem from operational sprawl, where sensitive inputs get replicated or logged unintentionally.

Accidental logging: Prompts, completions, and file content copied into observability platforms (Datadog, LogStream, Elastic) that lack structured privacy controls.
Vendor and residency risk: Text leaving your legal region or entering subprocessors operated by the model vendor.
Retrieval leakage (RAG, fine-tuning): Unredacted chunks reappearing in unrelated completions due to embeddings storing human-identifiable metadata.
Compliance complexity: Each duplicate makes GDPR deletion requests and DSARs exponentially harder.

These risks scale faster than visibility. To manage them, engineers must design PII-aware pipelines, where every text transformation, ingestion step, and storage event is privacy-scoped.

3. Pattern-First vs Machine Learning Detection

There are two dominant paradigms for detecting sensitive text: pattern-first (regex-based) and ML/NLP-based. The best production systems combine both strategically.

Pattern-First (Regex / Rule-Based)

Regex-driven detectors catch structured identifiers, emails, phone numbers, credit card numbers, postal codes, and national IDs, with deterministic precision.

Advantages:

Fast, local, and auditable.
Requires no external data processor.
Easy to embed into existing gateways or Express.js middleware.

This approach forms step one in any privacy stack, your PII firewall before content ever reaches an LLM API.

Our upcoming Express.js Redaction Middleware will implement this layer out-of-the-box:

app.use(require('@openredaction/express-pii')());

Integrated directly with OpenAI SDK routes, it ensures every prompt and completion is pre-scrubbed using deterministic regex before external transmission.

ML / Named Entity Recognition (NER)

NER-based models expand detection to unstructured text, names, organizations, and contextual references. They use statistical patterns and embeddings rather than explicit formulas.

Advantages:

Powerful for conversational or narrative text.
Detects entities missed by rigid regex (e.g., "John from Barclays" or "Emma's discharge summary").

Trade-offs:

Slower and costlier.
Adds potential data residency issues, since some frameworks outsource inference.
Requires additional privacy safeguards if running externally.

Optimal architecture:

Run high-precision pattern redaction locally.
Optionally apply NER within a private VPC.
Merge spans and enforce single-pass redaction.

OpenRedaction, and our OpenAI privacy SDK, focuses on step 1, the part you can deploy everywhere, safely, without external API calls.

4. Wiring Detection into Your Infrastructure

Modern AI apps often integrate dozens of components, with data moving bidirectionally across LLM APIs, vector indices, and analytics dashboards. You need to wire PII detection across all data surfaces that cross a trust boundary.

Core Locations for Redaction

LLM Gateway / Middleware:
Redact request bodies before they leave your secure network.

Our upcoming Express.js PII Detection Package will expose middleware hooks such as:

app.use(require('@openredaction/express-pii')());

Integrated directly with OpenAI SDK routes, it ensures every prompt and completion is pre-scrubbed using deterministic regex before external transmission.

RAG Pipeline Ingestion:
When processing documents for Retrieval-Augmented Generation, redact text early before embeddings and chunking. That way, your vector database never stores raw identifiers.

Log and Trace Streams:
Scrub payloads before they hit APM systems or cloud observability tools. Use stream filters that detect and mask sensitive tokens in the log formatter.

Response Path (Echo Suppression):
Scan generated replies before storage or display. Models can inadvertently echo user inputs; suppression filters prevent accidental resurfacing of PII.

This architecture is simple but powerful: every layer performs a privacy check just before data exits its internal domain.

5. Redaction Style and Consistency

Redaction strategy defines how PII is represented post-sanitization. Consistency beats cleverness, auditors prefer a stable, predictable approach.

Placeholder vs Partial Masking

Full placeholders (e.g., {{EMAIL_REDACTED}}) are best for external model interactions.
Partial masking (e.g., jo***@domain.com) is suitable only for internal dashboards or controlled analytics.

Document your chosen style, apply it globally across pipelines, and version-control redaction schemas as part of data governance metadata.

Our OpenAI redaction package will support both strategies with schema validation, allowing developers to pick between tokenization, reversible pseudonyms, or irreversible placeholders.

6. Proving It Works: Verification and Audit

Privacy assurance is not theoretical, it requires continuous, automated proof. Build regression pipelines that simulate realistic scenarios across your AI stack.

Synthetic PII regression tests: Generate fake data, emails, IDs, card numbers, and feed it through your gateway to ensure redaction consistency.
Search audits: Periodically scan vector databases and log stores using regex patterns or hash-checks for synthetic markers.
Latency measurement: Maintain a defined threshold (e.g., less than 50ms per prompt redaction). If performance drops, teams may bypass redaction under pressure, a major security risk.

Example Audit Flow

Inject canary values (e.g., test-3456-email@piitest.co.uk) into prompts.
Verify they never appear in logs, embedding vectors, or LLM responses.
Generate compliance reports referencing test timestamps and sanitized outputs.

This cycle creates active assurance, privacy that operates as part of CI/CD rather than afterthought compliance.

7. Integrating with the OpenAI SDK

Our upcoming OpenAI Redaction SDK for Node.js provides native interoperation with the official OpenAI client, letting developers hook redaction logic directly into model calls.

import { redactPII } from '@openredaction/openai';
import OpenAI from 'openai';

const client = new OpenAI({ apiKey: process.env.OPENAI_KEY });

async function safeCompletion(prompt) {
  const sanitized = await redactPII(prompt);
  return client.chat.completions.create({
    model: 'gpt-5-turbo',
    messages: [{ role: 'user', content: sanitized }],
  });
}

This ensures sensitive data is removed before transmission, preserving compliance across GDPR, CCPA, and DPA 2018 (UK). The SDK adds:

Adjustable regex libraries (PCI, HIPAA, UK/US standards).
Redaction logging to your local audit files.
Built-in Express middlewares for auto-scrubbing inbound JSON bodies.

Together, the Express.js middleware and OpenAI SDK hooks create a fully enclosed privacy perimeter, covering data entry, model invocation, and log retention uniformly.

8. Deployment Patterns for Self-Hosted Privacy

For enterprise compliance, you may choose to host redaction infrastructure locally rather than through a cloud processor.

Recommended Setup

Self-hosted detector service: Run OpenRedaction or our upcoming Express package within a secure Kubernetes namespace.
Isolated ingress queue: All inbound requests are queued and sanitized before API forwarding.
Environment separation: Maintain distinct namespaces for preprocessing (redaction) and postprocessing (response capture).
Config audit log: Persist redaction configurations as YAML in version control for reproducibility.

This architecture parallels zero-trust design, assuming each node is potentially untrusted and enforcing privacy at every hop.

9. Compliance and Governance Alignment

Effective PII detection is not just an engineering safeguard, it satisfies legal and ethical obligations under modern privacy frameworks.

Your stack should explicitly reference:

GDPR Articles 5, 25 (Data minimization and Privacy by Design).
UK Data Protection Act (2018) Schedule 1.
SOC 2 Type II Security and Processing Integrity Controls.
ISO 27701 Extension for Privacy Information Management.

By incorporating automated redaction, your organization meets the appropriate technical and organizational measures clause, proving that PII exposure is not accidental, but actively prevented.

10. The Path Forward

PII detection in LLM pipelines is no longer optional, it is structural. As AI workloads move into production, regulators, auditors, and enterprise clients expect verifiable privacy constraints.

Through our upcoming OpenAI integration and Express.js packages, teams will be able to deploy end-to-end safeguards with:

Local, deterministic redaction.
Seamless embedding into any API route or AI service.
Full visibility and proof through audit-ready logs.

Combined with OpenRedaction's regex-first precision, these tools form a privacy-first foundation for AI developers handling real-world data.

Closing Thought

In the era of generative computation, the true measure of responsible AI is not what models can learn, but what data they never see.

Detection and redaction are invisible victories: each scrubbed identifier represents one less compliance nightmare, one more proof of operational maturity. Redaction is not bureaucracy, it is architecture.

Questions or rollout help: contact · enterprise.