Requests (7d)
—
PII Detected
—
Avg Risk Score
—
PII Rate
—
Request Activity
7d
30d
PII Type Breakdown
0 types
0
total
No data yet
Encryption Keys
Active
PII vault entries use a stable key and are always recoverable after rotation.
Risk Distribution
All time
—
Low
—
Med
—
High
Recent Requests
View all →
No requests yet
Rename Project
Update the display name for this API key
Maximum 64 characters.
Create API Key
Enter a name to identify your project
This name will identify your project and API key in the dashboard.
Success Rate
—
of all requests
Failed Requests
—
errors logged
Avg Msg Length
—
characters per request
Unique IPs
—
distinct callers
Request Health — Success vs. Failed
Healthy
—
success
● Successful
—
● Failed
—
Peak failure window
—
Hourly Activity Heatmap
requests by hour of day
No data yet
Message Length Distribution
payload size buckets (chars)
Top Caller IPs
by request volume
No data yet
Daily PII Detection Rate
% of requests with PII per day
Success vs. Failed Over Time
stacked daily counts
No logs yet
How Privara works
Privara runs alongside your chatbot as a background process — it is never inline. Your LLM always receives the full original message for personalization. Privara asynchronously detects and protects PII from your Conversation DB after messages are written to it.
Your LLM always sees the full original text. Personalization is never affected. The Conversation DB is yours — Privara only reads from it, never writes to it.
Three detection layers (all run on every /protect call)
Layer 1 — Regex
SSN, credit card, IBAN, TIN, SSS, PhilHealth, PH mobile, email, IP, URL, bank account, routing, SWIFT, address, DOB
Layer 2 — spaCy NER
Named entities — PERSON, ORG, LOC, GPE, DATE, MONEY extracted from natural language context
Layer 3 — AI MODEL
Contextual PII — "my name is…", stated ages, "contact number is…", and anything layers 1–2 miss
Base URL: https://privara.onrender.com
Integration Steps
✓
Create your account
Your account is active and ready. No further action needed here.
2
Create your API key & encryption key
Two credentials are generated together: an API key (
X-API-Key header on every request, format: sk_live_{client}_{32chars}) and a Fernet encryption key used to encrypt message blobs. Both are shown once only — copy them immediately.
Store both keys securely on your backend. Never expose either in frontend/browser code. The encryption key auto-rotates every 3 minutes — you will retrieve the current one via your TOTP flow, not store it statically.
✓ API key active — you're all set!
3
POST /api/protect — detect, tokenize & encrypt in one call
This is the core endpoint. It runs all three detection layers, replaces each PII value with a reversible token stored in the PII Vault, then Fernet-encrypts the entire tokenized message and prepends a fingerprint tag. Store the returned
safe_message blob in your Encrypted DB. Tokenization is included — no separate step needed.
Token prefixes by risk level
[SSN_…] critical
[CARD_…] critical
[PII_…] IBAN/TIN/passport critical
[NAME_…] high
[PII_…] SSS/PhilHealth/DOB high
[EMAIL_…] moderate
[PHONE_…] moderate
[LOC_…] moderate
[IP_…] low
[URL_…] low
[ORG_…] low
Token format:
[PREFIX_XXXXXXXX] where the 8-char hex is MD5(pii_type:value) — deterministic, deduplicated per client.
import requests
res = requests.post(
"https://privara.onrender.com/api/protect",
headers={"X-API-Key": "sk_live_yourclient_..."},
json={
"message": "Hi I'm Juan dela Cruz. SSN: 123-45-6789, card: 4111 1111 1111 1111",
"user_id": "user_abc123" # optional — logged as client:user_id in audit trail
}
)
data = res.json()
# data["safe_message"] → "fp:a1b2c3d4e5f6a7b8:gAAAAAB..." ← store this in your Encrypted DB
# data["pii_found"] → [{type, risk_level, confidence}, ...]
# data["risk_score"] → 0.0–100.0 (NIST SP 800-122)
# data["original_length"] → char count of original message
const res = await fetch("https://privara.onrender.com/api/protect", {
method: "POST",
headers: { "X-API-Key": "sk_live_yourclient_...", "Content-Type": "application/json" },
body: JSON.stringify({
message: "Hi I'm Juan dela Cruz. SSN: 123-45-6789",
user_id: "user_abc123"
})
});
const data = await res.json();
// data.safe_message → fingerprint-tagged encrypted blob — store in your Encrypted DB
// data.pii_found → [{type, risk_level, confidence}, ...]
curl -X POST https://privara.onrender.com/api/protect \
-H "X-API-Key: sk_live_yourclient_..." \
-H "Content-Type: application/json" \
-d '{"message":"Hi I am Juan dela Cruz, SSN 123-45-6789","user_id":"u1"}'
Responses
{
"safe_message": "fp:a1b2c3d4e5f6a7b8:gAAAAAB...", // fingerprint:hex16:ciphertext — store this
"original_length": 64,
"pii_found": [
{ "type": "person_ctx", "risk_level": "high", "confidence": "0.9" },
{ "type": "ssn", "risk_level": "critical", "confidence": "1.0" },
{ "type": "credit_card", "risk_level": "critical", "confidence": "1.0" }
],
"risk_score": 100.0,
"encryption_enabled": true
}
"safe_message": "fp:a1b2c3d4e5f6a7b8:gAAAAAB...", // fingerprint:hex16:ciphertext — store this
"original_length": 64,
"pii_found": [
{ "type": "person_ctx", "risk_level": "high", "confidence": "0.9" },
{ "type": "ssn", "risk_level": "critical", "confidence": "1.0" },
{ "type": "credit_card", "risk_level": "critical", "confidence": "1.0" }
],
"risk_score": 100.0,
"encryption_enabled": true
}
Fingerprint blob format:
fp:<16hex>:<ciphertext> — the hex is SHA-256[:16] of the enc key used. /api/decrypt reads it for O(1) key lookup across all past rotation windows. You never manage old keys.
4
Understand the encryption key lifecycle (3-min TTL)
Each client has a per-client Fernet key that auto-rotates every 180 seconds. This key authenticates decrypt calls (Layer 2 auth) and is what the 423 response tells you has expired. Old keys are saved server-side — all past blobs remain decryptable via fingerprint lookup.
Key issued
t = 0s
t = 0s
→
Active
0 – 180s
0 – 180s
→
Expires
423 on write
423 on write
→
New key
auto-issued
auto-issued
→
Old key
saved to history
saved to history
Always pass your current enc key as Layer 2 auth — not the key that was active when the blob was created. The server resolves the correct historical key internally via fingerprint. Passing a rotated/old key returns HTTP 400.
5
Bulk-decrypt with Vault Decoder
Have a CSV, Excel, or JSON export from your Encrypted DB? The built-in Vault Decoder bulk-decrypts in-browser — no code needed.
- 1Upload your file — CSV, Excel (.xlsx), JSON, or TXT
- 2Select the column containing the
fp:…:…blobs - 3Enter your API key and your current encryption key
- 4Click "Decrypt All" — rows are decrypted in batches and a clean file downloads automatically
6
Monitor usage & audit logs
Every
/api/protect and /api/decrypt call produces an audit log entry (timestamp, action, IP, status, PII types, risk score). Review in Usage and Logs — filter by action, status, or risk tier and export for compliance reporting.
Additional Endpoints
PII Types & Token Prefixes
Token format: [PREFIX_XXXXXXXX] where the 8-char hex suffix is MD5(pii_type:value). The same value always produces the same token within your client scope — deterministic and deduplicated.
[SSN_…]Social Security Number
critical
critical
[CARD_…]Credit / debit card (PAN)
critical
critical
[PII_…]Bank account, IBAN, routing, TIN, passport
critical
critical
[NAME_…]Person name (spaCy / contextual)
high
high
[PII_…]SSS, PhilHealth, Date of birth
high
high
[PII_…]SWIFT/BIC, Driver's license
high
high
[EMAIL_…]Email address
moderate
moderate
[PHONE_…]Phone / PH mobile (09xx / +639xx)
moderate
moderate
[ZIP_…] [LOC_…]Postal code, Address / location / GPE, Age
moderate
moderate
[IP_…]IP address
low
low
[URL_…]URL
low
low
[ORG_…] [AMT_…]Organization name, Money amount
low
low
Risk Scoring
risk_score is 0.0–100.0, computed per NIST SP 800-122: additive base score by PII type × combination multiplier (highest applicable), normalized to 100.
Critical — 100 pts
SSN, credit card, bank account, IBAN, routing, TIN, passport
High — 50 pts
PERSON, SSS, PhilHealth, DOB, SWIFT/BIC, driver's license
Moderate — 25 pts
Email, phone, postal code, address, location, age, nationality
Low — 10 pts
IP address, URL, organization name, money amount
Combination multiplier (NIST SP 800-122 §3.1): When multiple high-risk types co-occur, the highest multiplier is applied once. Examples: person + credit_card → ×1.5 | person + SSN → ×1.4 | person + email/phone → ×1.3. Score is capped at 100. NIST impact level mapping: ≥50 → High, ≥20 → Moderate, <20 → Low.
Error Codes
Rate Limits
Enforced per API key by middleware. Default limit is set at key creation (default: 60 req/min). Auth endpoints use a separate stricter limiter.
API routes (default)
60 req/min
Configurable per key at creation
Auth / TOTP endpoints
5 req/min
LoginRateLimitMiddleware
Enc key rotation
180s TTL
Automatic — no client action needed
Compliance
Privara's PII detection and risk scoring is grounded in NIST SP 800-122, GDPR Art. 4 / Art. 9, HIPAA §164.514, PCI DSS v4.0, and RA 10173 (Philippine Data Privacy Act). Every protect, decryptcall produces an audit log entry.
What Privara stores
- ✓ Token → encrypted PII value mappings (PII Vault)
- ✓ SHA-256 fingerprints of enc keys (not the keys)
- ✓ Full enc key history for decrypt (server-internal)
- ✓ Audit log: timestamp, client, action, IP, status
- ✓ API key usage log: endpoint, timestamp, IP
What Privara never stores
- ✗ Plaintext PII values — always encrypted in vault
- ✗ Your raw Conversation DB contents
- ✗ Encrypted message blobs — returned to you, stored in your DB
- ✗ API keys in plaintext — bcrypt-hashed only
- ✗ Your users' unprotected messages
- ✗ Old enc keys as active auth credentials
Upload Your Encrypted Data
Drop file here or click to browse
CSV, XLSX, JSON, TXT supported
Profile
Full name
—
Email
—
Company
—
Use case
—
Display Timezone
Timestamps
Choose how request log times are displayed
Security
Two-Factor Authentication
Google Authenticator required for encryption key access
Not set up
Password
Update your account password
Account
Member since
—
Export my data
Download your profile and usage data as JSON
Session
Sign out
End your current session on this device
Danger Zone
Delete account
Permanently delete your account and all data