iConference AG
PII anonymisation · Switzerland

Sovereign Cockpit

Anonymise, review and release confidential data locally — the raw text never leaves your control, and you can prove it.

A controlled workflow before any cloud model or dispatch: confidential data is anonymised locally, every step stays provable in the audit trail — only the sanitised version goes out, on your click.
How it works
01

Replace locally

Confidential data is detected on this machine and replaced with placeholders — nothing is sent to the cloud.

02

Review & release

Only your click at the human gate releases the anonymised version; the mapping with the original values stays on the server.

03

Re-identify

Paste the external model's response back in — Sovereign Cockpit restores the original values.

What it delivers
Enforced human gate. Nothing leaves the server without your release.
Tamper-evident audit trail. HMAC-chained, provably unaltered, PII-free.
Your own standard terms. Company name, clients, product codes — entered once, anonymised in every document.
Swiss data types built in. AHV, IBAN, CHE-UID, GLN/ZSR and more.
Encrypted mapping. Re-ID keys AES-256-GCM, auto-deleted after 24 h.
Offline-capable sign-in. In-app users, bcrypt, no external service.
German & English. Fully bilingual interface.
Data kept in Switzerland. On-premise or hosted — your choice.
Deployment options
Highest sovereignty

On-premise

App and name detection run entirely on your side. No data egress, your own hardware.

Hybrid

Your DC + Swiss cloud

App in your data centre, name detection via a Swiss cloud API.

Hosted · CH

Single-tenant

We run an isolated instance per customer in Switzerland — own key, own audit trail.

Indicative pricing
Hosted (CH)
from CHF 250 / month · annual plan
Isolated instance, data kept in Switzerland, up to 5 users. Operated by iConference.
On-premise
from CHF 180 / month · annual plan
Runs on your hardware (requirements on consultation), up to 5 users.

Indicative per instance/company. Concrete quote after a short conversation.

Security architecture

Several independent layers, not one model

Deterministic CH recognisers NER (person/location/org) Local free-text pass Merge
Human gate Manual masking Independent egress backstop

The egress backstop is a second, deliberately broader check before release — independent of the main recogniser, so a gap does not sit twice in the same layer.

What stays protected
Mapping encryptedRe-identification keys with AES-256-GCM. Auto-deleted after 24 h (window configurable) — after that re-identification is no longer possible.
Tamper-evident audit trailHMAC-chained log, PII-free, every change provable.
Fail-closed everywhereIf a step fails (detection, scanned PDF without a text layer), the case aborts — rather than passing on unchecked data.
Egress control before releaseIf protected values remain in plain text, release is held and put to you for approval; a deliberate release is recorded in the audit trail.
Detected data types (Swiss focus)
AHV number CH IBAN CHE-UID GLN ZSR Credit card VAT ID Case number E-mail / phone Address / ZIP Company Person (NER) Location (NER) Organisation (NER) Free-text names
Formats & limits

Supported: PDF with a text layer, Markdown, text, Excel (XLSX).

Scanned PDFs without a text layer are deliberately rejected (fail-closed) — OCR is on the roadmap.

Limit 150,000 characters or 25 MB per upload.

Models

Name detection either fully local or via a Swiss cloud API.

Model-independent: protection rests on several independent check layers, not on a single model — you are not tied to any particular AI model.

Positioning

A pre-stage tool, not a platform

Sovereign Cockpit sits in front of anything you send out — a cloud model, email or handover — and replaces neither chatbot, RAG nor DMS. At its core: an enforced release by a human in the reversible flow and a tamper-evident audit trail; Swiss identifiers are recognised out of the box.