Data Security & Privacy
LLMs process and generate text — and text often contains personal data, trade secrets, and confidential information. Data security in AI systems requires specific measures that go beyond traditional encryption.
PII Leakage Prevention
The Problem
LLMs can leak personal data through multiple channels:
- Memorization: The model has memorized PII from training data and reproduces it with matching prompts
- In-context leakage: PII from the current context (e.g., RAG documents) gets embedded in responses
- Cross-session leakage: With faulty session isolation, users see other users' data
- Log exposure: PII in prompts ends up in logs, monitoring tools, and analytics
Protective Measures
Before the model (input):
- PII detection with Named Entity Recognition (NER) — detect names, emails, phone numbers, IBANs
- Redaction: Replace PII with placeholders ("[NAME]", "[EMAIL]")
- Pseudonymization: Consistent replacement (Max Müller → Person_A) to preserve context
After the model (output):
- Identical PII detection on the output
- Differential privacy: Mathematical guarantee that individual data points cannot be extracted
- Confidence filtering: Block responses with high PII probability
Data Classification for AI
Classification Levels
| Level | Description | AI Usage |
|---|
| Public | Publicly available data | All models, including cloud APIs |
| Internal | Internal, non-sensitive data | Cloud APIs with DPA, self-hosted |
| Confidential | Trade secrets, financial data | Self-hosted or private cloud only |
| Restricted | PII, health data, payment data | Self-hosted with additional controls |
Data Flow Control
- Data Loss Prevention (DLP): Automatic detection and blocking of sensitive data in the AI data flow
- Tagging: Every document in the RAG system receives a classification tag
- Access control: RAG results are filtered by user role
Encryption and Secure RAG
Encryption at Rest
- Vector databases: Store embedding vectors encrypted (AES-256)
- Document store: Source documents with at-rest encryption
- Model weights: Model weights on encrypted volumes
Encryption in Transit
- TLS 1.3 for all API communication
- mTLS between internal services (model server ↔ API gateway ↔ RAG service)
- Encrypted embeddings: Transmit embedding requests encrypted
Secure RAG Architecture
- Document-level ACLs: Every document has access rights — the RAG system respects them
- Query rewriting: User query is sanitized before reaching the vector database
- Result filtering: Results are filtered by user permissions
- Citation verification: Every statement is traced back to the source document
Differential Privacy
The Concept
Differential privacy mathematically guarantees that the presence or absence of a single data point does not significantly affect the model output.
Mechanisms:
- Noise injection: Add controlled noise to model outputs
- DP-SGD: Differentially Private Stochastic Gradient Descent during training
- Privacy budget (ε): Quantifies the degree of privacy — lower ε = more privacy
Practical Application
- Aggregated analyses: "How many customers bought product X?" — answer with DP noise
- Federated learning: Train models locally, only aggregate gradients (with DP) centrally
- Synthetic data: Generate differentially private synthetic data for development and testing
Principle: Treat every prompt, every response, and every context chunk as potentially sensitive. The cost of a data breach exceeds the cost of privacy measures by 10 to 100 times.