Philterd

Talk to an Expert

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer email? support@philterd.ai

Prefer to skip the form? Pick a time on our calendar →
or send a message

Please do not enter PII or PHI in this form. If you need to share an example, use a sanitized one.

Security & Trust

How Philterd is built, how vulnerabilities are disclosed, and where your data lives (it stays with you).

Architecture and threat model

Philterd is self-hosted software. Every product in the toolkit (Philter, Phileas, PhEye, Philter AI Proxy, Phinder, Phield, Arbiter) runs inside your own infrastructure. There is no Philterd cloud, no SaaS endpoint, and no outbound connection back to Philterd servers at runtime.

The consequence for your threat model is direct: Philterd has no access to your data. There is nothing for Philterd to disclose, breach, or mishandle because the data never reaches us. Your PII stays inside the perimeter you control.

Where customer data lives

Customer data does not leave your environment:

  • Redaction processing runs in your VPC, on-premises environment, or air-gapped cluster.
  • No telemetry, usage metrics, or processed content is transmitted to Philterd or any third party.
  • Philterd products do not phone home.

Model training

Our NLP models are trained entirely on synthetic and publicly available datasets. No customer data is used in model training, benchmarking, or evaluation, at any stage.

Open source auditability

Every Philterd product is released under the Apache 2.0 license. The full source code is publicly available on GitHub. Security-conscious teams can:

  • Read the redaction and detection code directly before deploying.
  • Build from source rather than using published Docker images.
  • Run the test suite against their own inputs.
  • Fork and modify under the terms of the license.

Transparency is the baseline. If something looks wrong in the code, open an issue or a pull request.

Vulnerability disclosure

Philterd follows a responsible-disclosure model. If you discover a security vulnerability in any Philterd product, please report it privately before public disclosure.

To report a vulnerability:

  1. Email security@philterd.ai with a description of the issue, the affected component and version, and reproduction steps.
  2. We will acknowledge receipt within two business days.
  3. We will provide a remediation timeline within five business days.
  4. We coordinate a public disclosure date with the reporter after a patch is available.

Please do not open public GitHub issues for security vulnerabilities until a patch has been released and we have agreed on a disclosure date.

Supported versions and patch policy

Security fixes are applied to the current stable release series of each product. The prior major release series receives critical security patches for 90 days after a new major version ships. Older releases are unsupported.

The releases page lists the current stable version of each product.

Supply chain security

  • Dependency scanning: Dependencies are scanned for known vulnerabilities in CI on every commit.
  • Signed releases: Docker images and release artifacts are signed. Verification instructions are published in each repository.
  • SBOM availability: Software Bill of Materials files in CycloneDX format are available on request for enterprise customers evaluating supply-chain risk.
  • Reproducible builds: Build configurations are published in each repository so teams can reproduce release artifacts from source.

Sub-processors

Philterd has no sub-processors. Because all products are self-hosted, no customer data is processed by Philterd or any third-party service on Philterd’s behalf.

Data Processing Agreements and Business Associate Agreements

DPA and BAA templates are available for enterprise customers and regulated-industry deployments (HIPAA, GDPR, and others). Contact us to request a copy or to initiate a countersigned agreement.

Compliance

For a full mapping of Philterd products to specific regulatory frameworks (HIPAA Safe Harbor, GDPR, PCI DSS, GLBA, FERPA, FedRAMP, and others), see the Compliance Matrix.