PII anonymisation · Switzerland
Sovereign Cockpit
Anonymise, review and release confidential data locally — the raw text never leaves your control, and you can prove it.
A controlled workflow before any cloud model or dispatch: confidential data is anonymised locally, every step stays provable in the audit trail — only the sanitised version goes out, on your click.
How it works
01
Replace locally
Confidential data is detected on this machine and replaced with placeholders — nothing is sent to the cloud.
02
Review & release
Only your click at the human gate releases the anonymised version; the mapping with the original values stays on the server.
03
Re-identify
Paste the external model's response back in — Sovereign Cockpit restores the original values.
What it delivers
Enforced human gate. Nothing leaves the server without your release.
Tamper-evident audit trail. HMAC-chained, provably unaltered, PII-free.
Your own standard terms. Company name, clients, product codes — entered once, anonymised in every document.
Swiss data types built in. AHV, IBAN, CHE-UID, GLN/ZSR and more.
Encrypted mapping. Re-ID keys AES-256-GCM, auto-deleted after 24 h.
Offline-capable sign-in. In-app users, bcrypt, no external service.
German & English. Fully bilingual interface.
Data kept in Switzerland. On-premise or hosted — your choice.
Deployment options
Highest sovereignty
On-premise
App and name detection run entirely on your side. No data egress, your own hardware.
Hybrid
Your DC + Swiss cloud
App in your data centre, name detection via a Swiss cloud API.
Hosted · CH
Single-tenant
We run an isolated instance per customer in Switzerland — own key, own audit trail.
Indicative pricing
Hosted (CH)
from CHF 250 / month · annual plan
Isolated instance, data kept in Switzerland, up to 5 users. Operated by iConference.
On-premise
from CHF 180 / month · annual plan
Runs on your hardware (requirements on consultation), up to 5 users.
Indicative per instance/company. Concrete quote after a short conversation.
Security architecture
Several independent layers, not one model
Deterministic CH recognisers
→
NER (person/location/org)
→
Local free-text pass
→
Merge
Human gate
→
Manual masking
→
Independent egress backstop
The egress backstop is a second, deliberately broader check before release — independent of the main recogniser, so a gap does not sit twice in the same layer.
What stays protected
Mapping encryptedRe-identification keys with AES-256-GCM. Auto-deleted after 24 h (window configurable) — after that re-identification is no longer possible.
Tamper-evident audit trailHMAC-chained log, PII-free, every change provable.
Fail-closed everywhereIf a step fails (detection, scanned PDF without a text layer), the case aborts — rather than passing on unchecked data.
Egress control before releaseIf protected values remain in plain text, release is held and put to you for approval; a deliberate release is recorded in the audit trail.
Detected data types (Swiss focus)
AHV number
CH IBAN
CHE-UID
GLN
ZSR
Credit card
VAT ID
Case number
E-mail / phone
Address / ZIP
Company
Person (NER)
Location (NER)
Organisation (NER)
Free-text names
Formats & limits
Supported: PDF with a text layer, Markdown, text, Excel (XLSX).
Scanned PDFs without a text layer are deliberately rejected (fail-closed) — OCR is on the roadmap.
Limit 150,000 characters or 25 MB per upload.
Models
Name detection either fully local or via a Swiss cloud API.
Model-independent: protection rests on several independent check layers, not on a single model — you are not tied to any particular AI model.
Positioning
A pre-stage tool, not a platform
Sovereign Cockpit sits in front of anything you send out — a cloud model, email or handover — and replaces neither chatbot, RAG nor DMS. At its core: an enforced release by a human in the reversible flow and a tamper-evident audit trail; Swiss identifiers are recognised out of the box.