Skip to main content

Architecture & Concepts

Cloakr.ai provides a comprehensive enterprise AI security platform with end-to-end encryption, PII protection, and intelligent routing. This document explains the core architecture and how data flows through the system.

How It Works

Cloakr.ai follows a 5-step process to ensure your AI interactions are secure, compliant, and optimized:

graph LR
A[Client SDK] --> B[Gateway]
B --> C[PII Redaction]
C --> D[Router]
D --> E[LLM API]
E --> F[Re-post-process]
F --> G[Encrypt Response]
G --> A

Step 1: Client Encryption

Your application sends encrypted prompts using AES-256-GCM encryption with local PII redaction hooks.

Step 2: Gateway Processing

The Cloakr Gateway receives your encrypted data and begins the security processing pipeline.

Step 3: PII Redaction & Sanitization

Advanced NLP models detect and redact sensitive information like names, emails, credit cards, and SSNs.

Step 4: Intelligent Routing

The system routes your request to the optimal LLM based on cost, performance, and compliance requirements.

Step 5: Response Processing

The LLM response is re-processed, re-encrypted, and returned to your application.

Core Components

Client SDK

  • AES-256-GCM encryption for end-to-end security
  • Local PII redaction hooks for sensitive data detection
  • Automatic retry logic with exponential backoff
  • Connection pooling for optimal performance

Gateway

  • Decryption engine with hardware acceleration
  • PII redaction engine using hybrid NER + regex rules
  • Intelligent router with cost optimization
  • Rate limiting and load balancing
  • Audit logging with SHA-256 hashing

RAG Layer

  • Vector store using Qdrant/Weaviate
  • Embedding generation with multiple models
  • Semantic search with configurable similarity thresholds
  • Knowledge base management with versioning

Audit Logging

  • Append-only ledger with cryptographic integrity
  • SHA-256 hashing for tamper detection
  • Compliance exports in CSV/JSON formats
  • Real-time monitoring with alerting

Dashboard

  • React + Node.js interface
  • Policy management with visual editor
  • Analytics dashboard with real-time metrics
  • Compliance reporting with automated exports

Data Flow

1. Client Request

// Your application encrypts the prompt locally
const encryptedPrompt = client.encrypt("Hello, my name is John Doe");
const request = {
model: 'gpt-4o',
prompt: encryptedPrompt,
stream: false
};

2. Gateway Processing

// Gateway receives encrypted data
Gateway.process({
encryptedData: request.prompt,
model: request.model,
metadata: {
userId: 'user123',
sessionId: 'session456',
timestamp: Date.now()
}
});

3. PII Redaction

// Sensitive data is detected and redacted
const redactedPrompt = PIIEngine.redact(decryptedPrompt);
// "Hello, my name is [REDACTED_NAME]"

4. LLM Routing

// Intelligent routing based on cost and performance
const route = Router.select({
model: 'gpt-4o',
cost: 'optimize',
compliance: 'hipaa',
region: 'us-east-1'
});

5. Response Processing

// Response is re-encrypted and returned
const encryptedResponse = client.encrypt(llmResponse);
return {
id: 'chat_abc123',
choices: [{
text: encryptedResponse
}]
};

Security Architecture

Encryption Layers

  • Transport Layer: TLS 1.3 with perfect forward secrecy
  • Application Layer: AES-256-GCM with unique nonces
  • Storage Layer: Encrypted at rest with customer-managed keys

PII Protection

  • Hybrid Detection: NER models + regex patterns
  • Custom Rules: Configurable redaction policies
  • Audit Trail: Complete logging of redaction actions

Compliance Features

  • SOC 2 Type II: Annual security audits
  • GDPR Ready: Data residency and deletion controls
  • HIPAA Compliant: Healthcare data protection
  • PCI DSS: Payment card industry standards

Performance Optimizations

Caching Strategy

  • Response caching with TTL-based invalidation
  • Embedding caching for RAG operations
  • Connection pooling for API efficiency

Load Balancing

  • Geographic routing for latency optimization
  • Cost-based routing for budget management
  • Failover handling with automatic retries

Scaling

  • Horizontal scaling with Kubernetes
  • Database sharding for high throughput
  • CDN integration for global performance

Regional Deployment

Cloakr.ai supports multiple regions for data residency compliance:

  • US East (N. Virginia) - Default region
  • US West (Oregon) - West Coast optimization
  • EU (Frankfurt) - GDPR compliance
  • Asia Pacific (Singapore) - APAC optimization
  • India (Mumbai) - Local data residency

Next Steps