Project
Sovereign Shield
Use any LLM — Gemini, Claude, DeepSeek — while no personal data ever leaves Switzerland. A deterministic gateway swaps every Swiss identifier for a placeholder before the prompt crosses the border, and restores the real values on the way back.
An employee pastes a customer email into ChatGPT to draft a reply — a name, an AHV number, an IBAN. Thirty seconds saved, and a cross-border transfer of personal data to a US-hosted service: the exact act the revised Swiss FADP (and the GDPR) build their guardrails around. The violation isn't the model misbehaving. It's the data leaving the boundary.
So the fix is a boundary, not a better promise. Sovereign Shield is a
small proxy on the egress path: on the way out it swaps every Swiss identifier for a
stable placeholder, the model answers on the placeholders, and the real values are
restored on the way back. The reply comes back perfect and personalised — and the model
only ever saw [PERSON_1]. Even if the provider logs every prompt it
receives, it logged placeholders.
Draft a reply to Hans Muster (AHV 756.1234.5678.97, IBAN CH93 0076 …).
↓ 🛡 the only thing that crosses the border
Draft a reply to [PERSON_1] ([AHV_1], [IBAN_1]).
↓ the model answers on the placeholders
"Dear [PERSON_1], sorry about the double charge — we'll refund CHF 240 …"
↓ 🛡 restored on the way back
"Dear Hans Muster, sorry about the double charge — we'll refund CHF 240 …" It has to be deterministic and offline — regex and checksums, not an LLM or a cloud “PII detection” API. A model-based redactor inherits the same blind spots that let a model leak in the first place, and a cloud API means you have already sent the personal data somewhere to find it. So a Swiss AHV is validated by its EAN-13 check digit, an IBAN by ISO-7064 mod-97, a card by Luhn. It runs air-gapped and fails closed: if something looks like an identifier, it is withheld, not waved through.
Does redacting the prompt make the model dumber? I measured it rather than guessing — three real Swiss business documents, three models, judged blind.
Open source under Apache-2.0 — the stdlib-only detector core, the tokenize → restore
round-trip, and this demo. pip install sovereign-shield-ch.
Where it stops
- Structured identifiers (AHV, IBAN, card, phone, email) are the deterministic core. Person names and street addresses need a named-entity model — plug one in and fail closed on the high-risk flows.
- Some tasks genuinely need the real value (validate this IBAN; compute an age from a date of birth). Tokenisation is a per-field policy, not a blanket switch.
- It's not encoding-robust, and it's data minimisation and residency — not a DPIA, not legal advice. It's the outer, deliberately-dumb layer of a defence-in-depth stack.
Write-up
Sovereign Shield grew out of K.E.V.I.N., the autonomous red-teaming research that proved why you can't trust a model to police itself — and why the boundary has to sit outside it.