Philterd

Talk to an Expert

Tell us about your stack and the privacy problems you're trying to solve. We typically respond within one business day.

Prefer to skip the form? Pick a time on our calendar →
or send a message

Please do not enter PII or PHI in this form. If you need to share an example, use a sanitized one.

← All industries

AI Training Data & Data Labeling

PII Redaction for AI Training Data

Models memorize what they’re trained on. Customer support transcripts, internal docs, clinical notes, legal corpora — whatever is in the training set can come back out in generation. Philter de-identifies the corpus before training; Arbiter routes edge cases to human reviewers; the labeled output is what reaches the model.

Or deploy Philter yourself →

The AI-training-data PII problem

Training data is forever. Once a corpus is included in a pre-training, fine-tuning, or RLHF run, the model can regurgitate snippets from that data verbatim under the right prompt. For organizations training on internal corpora — support transcripts, clinical notes, legal documents, internal wiki content, customer correspondence — this turns the training set into a privacy attack surface.

The conventional fix “just don’t train on PII” runs into operational reality: the data that’s useful for fine-tuning is the same data that contains the PII. A clinical-LLM is useful precisely because it trained on clinical text; a support-summarization model is useful because it saw support tickets. Stripping the data is the answer, but it has to happen with high precision and a human-review path for the cases the automated pass shouldn’t decide alone.

How Philterd handles AI training data

Pre-training corpus de-identification

Bulk-redact the dataset before it enters the training pipeline. Names, addresses, account numbers, identifiers, contact details — whatever the policy specifies. Run at scale across millions of documents in your existing data infrastructure.

Fine-tuning + RLHF data prep

Specifically for fine-tuning datasets: instruction pairs, conversation traces, and preference data routinely contain customer PII, employee PII, and identifying context. The training-data prep policy is the starting point.

Arbiter human-in-the-loop review

Automated redaction handles the obvious cases at scale. Arbiter routes the gray cases — ambiguous identifiers, redactions that change document meaning, judgment calls about what constitutes PII in context — to qualified human reviewers with structured exemption codes.

Per-document consistency

When a document mentions “Dr. Smith” six times, all six become the same pseudonym. Cohort analyses, conversation continuity, and longitudinal patterns survive de-identification; direct re-identification doesn’t.

Date shifting for temporal data

Per-subject random date shifting preserves intervals between events (admission → discharge, ticket-open → resolution) without preserving absolute dates. Useful for any training task where time-between-events matters.

Stays in your perimeter

Training data is competitively sensitive even before you consider the PII. Philter runs in your existing cloud account — no third-party redaction service that you’d have to give read access to your training corpus.

Ready-to-use policies

Apache 2.0 policies from the open source policy library — download and load into your Philter instance.

AI Training v1.0.0

LLM Training Data Preparation

Aggressive PII redaction for documents being fed into LLM training, fine-tuning, or RAG vector stores — preserves semantic structure with type tokens.

AILLMfine-tuningtraining data

Browse all redaction policies →

Recent writing on AI training data

The Ethics of Training: Why We Use Synthetic Data

A privacy tool should never be trained on the very data it's meant to protect. Here's why Philterd's models are built entirely on synthetic data — and what that means for your compliance posture.

Building a Privacy-Aware RAG System

RAG pipelines have two distinct PII leak vectors: ingestion and inference. A defense-in-depth blueprint with code, using Philter, Philter AI Proxy, and the rest of the Philterd toolkit.

Why Using an LLM to Redact PII and PHI is a Bad Idea

We have seen a lot – and you probably have to – posts on various social media and blogging platforms showing how you can redact text using a large language model (LLM). They present a fairly simple solution to the complex problem of redaction. Can we really just let an LLM handle our text redaction…

All blog posts →

Where AI / data-labeling teams start

  1. Audit the training corpus for PII surfaces. Free-text fields, structured identifier columns, anything that came from a customer-facing or employee-facing system. Most teams underestimate by a factor of two.
  2. Pick the policy for your domain. Clinical text → clinical-notes de-id. Customer support → call recording / chat. Mixed → training-data prep.
  3. Run a pilot batch through Philter Scope. Measure precision and recall against a hand-labeled sample. Models trained on under-redacted data leak; models trained on over-redacted data lose useful signal.
  4. Route the gray cases to Arbiter. Reviewer decisions become structured labels that train the next pass. The cost of human review concentrates where it adds value.
  5. Wire into the training pipeline. Whether that’s a SageMaker job, a Hugging Face training script, or a custom GPU cluster — the redaction step happens at corpus-prep time, before the first training epoch.

Common deployments

1. Clinical-LLM training data prep. A healthcare or health-tech team is fine-tuning a model on de-identified clinical notes. The clinical-notes de-id policy applies HIPAA Safe Harbor identifiers with per-patient date shifting. Arbiter routes the documents containing borderline content (provider names embedded in dictated speech, medication-dose mentions that overlap with phone-number patterns) to clinical reviewers. The training set lands in the GPU cluster as a clean corpus; the model never sees direct identifiers.

2. Support-summarization fine-tuning. A B2B SaaS team is fine-tuning a customer-support summarization model on internal support transcripts. The transcripts contain customer names, company names, account IDs, and ticket-specific identifiers. Philter handles the bulk pass; Arbiter handles the cases where redaction would destroy the support context (e.g., a ticket where the customer’s product configuration is the whole point of the conversation, and the configuration itself is identifying).

3. RLHF preference-data scrubbing. Preference-pair datasets used in RLHF contain instructions, completions, and ranking. When the preferences came from internal annotators reviewing real production traffic, the data is rich with PII. The redaction step happens before the preference dataset is split into train / validation / holdout splits.

What teams need to be careful about

  • Recall matters more than precision. A leaked identifier in the training set can come back out at inference time; an over-redaction is just a slightly less useful training example. Tune toward higher recall; accept the precision cost; measure against a labeled holdout.
  • The reviewer pool is the labeling pool. Arbiter reviewers making redaction decisions are, structurally, labeling your data. Treat their decisions as labels: track inter-rater agreement, calibrate against a gold standard, and feed the structured outputs back into the next policy revision.
  • Memorization is non-binary. Even with thorough redaction, a small training set + a large model can memorize patterns that infer identity from non-PII context (job title + location + date). For the highest-stakes training, the redaction layer pairs with differential privacy at training time — see Philter Diffuse.

Build PII redaction into your AI training data pipeline

Training-data privacy is the part of model development where decisions compound. Talk to engineers who’ve thought through both the recall side (don’t leak PII) and the utility side (don’t destroy signal).

Or deploy Philter yourself →