Architecture & Concepts
Cloakr.ai provides a comprehensive enterprise AI security platform with end-to-end encryption, PII protection, and intelligent routing. This document explains the core architecture and how data flows through the system.
How It Works
Cloakr.ai follows a 5-step process to ensure your AI interactions are secure, compliant, and optimized:
graph LR
A[Client SDK] --> B[Gateway]
B --> C[PII Redaction]
C --> D[Router]
D --> E[LLM API]
E --> F[Re-post-process]
F --> G[Encrypt Response]
G --> A
Step 1: Client Encryption
Your application sends encrypted prompts using AES-256-GCM encryption with local PII redaction hooks.
Step 2: Gateway Processing
The Cloakr Gateway receives your encrypted data and begins the security processing pipeline.
Step 3: PII Redaction & Sanitization
Advanced NLP models detect and redact sensitive information like names, emails, credit cards, and SSNs.
Step 4: Intelligent Routing
The system routes your request to the optimal LLM based on cost, performance, and compliance requirements.
Step 5: Response Processing
The LLM response is re-processed, re-encrypted, and returned to your application.
Core Components
Client SDK
- AES-256-GCM encryption for end-to-end security
- Local PII redaction hooks for sensitive data detection
- Automatic retry logic with exponential backoff
- Connection pooling for optimal performance
Gateway
- Decryption engine with hardware acceleration
- PII redaction engine using hybrid NER + regex rules
- Intelligent router with cost optimization
- Rate limiting and load balancing
- Audit logging with SHA-256 hashing
RAG Layer
- Vector store using Qdrant/Weaviate
- Embedding generation with multiple models
- Semantic search with configurable similarity thresholds
- Knowledge base management with versioning
Audit Logging
- Append-only ledger with cryptographic integrity
- SHA-256 hashing for tamper detection
- Compliance exports in CSV/JSON formats
- Real-time monitoring with alerting
Dashboard
- React + Node.js interface
- Policy management with visual editor
- Analytics dashboard with real-time metrics
- Compliance reporting with automated exports
Data Flow
1. Client Request
// Your application encrypts the prompt locally
const encryptedPrompt = client.encrypt("Hello, my name is John Doe");
const request = {
model: 'gpt-4o',
prompt: encryptedPrompt,
stream: false
};
2. Gateway Processing
// Gateway receives encrypted data
Gateway.process({
encryptedData: request.prompt,
model: request.model,
metadata: {
userId: 'user123',
sessionId: 'session456',
timestamp: Date.now()
}
});
3. PII Redaction
// Sensitive data is detected and redacted
const redactedPrompt = PIIEngine.redact(decryptedPrompt);
// "Hello, my name is [REDACTED_NAME]"
4. LLM Routing
// Intelligent routing based on cost and performance
const route = Router.select({
model: 'gpt-4o',
cost: 'optimize',
compliance: 'hipaa',
region: 'us-east-1'
});
5. Response Processing
// Response is re-encrypted and returned
const encryptedResponse = client.encrypt(llmResponse);
return {
id: 'chat_abc123',
choices: [{
text: encryptedResponse
}]
};
Security Architecture
Encryption Layers
- Transport Layer: TLS 1.3 with perfect forward secrecy
- Application Layer: AES-256-GCM with unique nonces
- Storage Layer: Encrypted at rest with customer-managed keys
PII Protection
- Hybrid Detection: NER models + regex patterns
- Custom Rules: Configurable redaction policies
- Audit Trail: Complete logging of redaction actions
Compliance Features
- SOC 2 Type II: Annual security audits
- GDPR Ready: Data residency and deletion controls
- HIPAA Compliant: Healthcare data protection
- PCI DSS: Payment card industry standards
Performance Optimizations
Caching Strategy
- Response caching with TTL-based invalidation
- Embedding caching for RAG operations
- Connection pooling for API efficiency
Load Balancing
- Geographic routing for latency optimization
- Cost-based routing for budget management
- Failover handling with automatic retries
Scaling
- Horizontal scaling with Kubernetes
- Database sharding for high throughput
- CDN integration for global performance
Regional Deployment
Cloakr.ai supports multiple regions for data residency compliance:
- US East (N. Virginia) - Default region
- US West (Oregon) - West Coast optimization
- EU (Frankfurt) - GDPR compliance
- Asia Pacific (Singapore) - APAC optimization
- India (Mumbai) - Local data residency
Next Steps
- API Reference - Explore the complete API
- SDK Tutorials - Learn advanced features
- Security & Compliance - Enterprise security details
- Guides & Best Practices - Optimization tips