Project

Sovereign Shield

Use any LLM — Gemini, Claude, DeepSeek — while no personal data ever leaves Switzerland. A deterministic gateway swaps every Swiss identifier for a placeholder before the prompt crosses the border, and restores the real values on the way back.

An employee pastes a customer email into ChatGPT to draft a reply — a name, an AHV number, an IBAN. Thirty seconds saved, and a cross-border transfer of personal data to a US-hosted service: the exact act the revised Swiss FADP (and the GDPR) build their guardrails around. The violation isn't the model misbehaving. It's the data leaving the boundary.

So the fix is a boundary, not a better promise. Sovereign Shield is a small proxy on the egress path: on the way out it swaps every Swiss identifier for a stable placeholder, the model answers on the placeholders, and the real values are restored on the way back. The reply comes back perfect and personalised — and the model only ever saw [PERSON_1]. Even if the provider logs every prompt it receives, it logged placeholders.

Draft a reply to Hans Muster (AHV 756.1234.5678.97, IBAN CH93 0076 …).

  ↓  🛡  the only thing that crosses the border

Draft a reply to [PERSON_1] ([AHV_1], [IBAN_1]).

  ↓  the model answers on the placeholders

"Dear [PERSON_1], sorry about the double charge — we'll refund CHF 240 …"

  ↓  🛡  restored on the way back

"Dear Hans Muster, sorry about the double charge — we'll refund CHF 240 …"

It has to be deterministic and offline — regex and checksums, not an LLM or a cloud “PII detection” API. A model-based redactor inherits the same blind spots that let a model leak in the first place, and a cloud API means you have already sent the personal data somewhere to find it. So a Swiss AHV is validated by its EAN-13 check digit, an IBAN by ISO-7064 mod-97, a card by Luhn. It runs air-gapped and fails closed: if something looks like an identifier, it is withheld, not waved through.

Does redacting the prompt make the model dumber? I measured it rather than guessing — three real Swiss business documents, three models, judged blind.

Privacy total No raw personal data reached a model; the token↔value round-trip was flawless.
Utility a small cost Task-dependent and mild — names, amounts, and numbers stayed correct either way.
The numbers and the caveats →

Open source under Apache-2.0 — the stdlib-only detector core, the tokenize → restore round-trip, and this demo. pip install sovereign-shield-ch.

Where it stops

  • Structured identifiers (AHV, IBAN, card, phone, email) are the deterministic core. Person names and street addresses need a named-entity model — plug one in and fail closed on the high-risk flows.
  • Some tasks genuinely need the real value (validate this IBAN; compute an age from a date of birth). Tokenisation is a per-field policy, not a blanket switch.
  • It's not encoding-robust, and it's data minimisation and residency — not a DPIA, not legal advice. It's the outer, deliberately-dumb layer of a defence-in-depth stack.

Write-up

Sovereign Shield grew out of K.E.V.I.N., the autonomous red-teaming research that proved why you can't trust a model to police itself — and why the boundary has to sit outside it.