How much does KI-Shield cost?

The Free plan is permanently free (50 requests/month). The Pro plan costs €99/month net with unlimited requests and all 42 PII categories. The Business plan costs €349/month with OpenRouter and compliance reports. You bring your own API key (BYOK).

Which AI providers are supported?

KI-Shield works with over 10 AI providers: OpenAI/ChatGPT, Anthropic/Claude, Google Gemini, Groq, Mistral AI, Meta Llama, Azure OpenAI, AWS Bedrock, and all OpenAI-compatible APIs.

Where is data processed?

All data is processed exclusively on German servers (Hetzner). No US Cloud Act, no FISA 702. Original data never leaves the proxy server in the EU.

Do I need to bring my own API key?

Yes, KI-Shield operates on the BYOK principle (Bring Your Own Key). Sie nutzen Ihren eigenen API-Key für OpenAI, Anthropic, Google oder andere Provider. So behalten Sie die volle Kontrolle über Ihre KI-Kosten.

Is the proxy compliant with the EU AI Act?

Ja. KI-Shield erfüllt die transparency and documentation requirements des EU AI Act. Jede KI-Interaktion wird im Audit-Log protokolliert.

What does Zero Knowledge mean?

KI-Shield offers two ZK modes: Server ZK encrypts all data with your password (Argon2id + AES-256-GCM). Browser ZK (NEW) performs PII detection, pseudonymization and encryption entirely in the browser — the server never sees plaintext at any point. Available for all plans.

What is the PII-Redaction API?

The PII-Redaction API is a REST API for developers that programmatically detects, redacts and pseudonymizes personal data. It offers 13 endpoints including /v1/detect, /v1/redact, /v1/pseudonymize, /v1/redact/zk, /v1/batch, /v1/verify, /v1/risk-score, /v1/compliance-report and more, detects 42 PII categories and provides a cryptographically signed compliance certificate (Ed25519 + ML-DSA-65).

How does the API differ from the chat proxy?

The chat proxy is a ready-made web interface for end users (lawyers, doctors, HR). The PII-Redaction API is designed for developers who want to integrate PII detection into their own software or workflows – via REST call or TypeScript SDK.

Is there an SDK for the API?

Yes. There is a TypeScript SDK via npm install ki-shield-sdk. Additionally, an interactive Swagger UI is available at /api-docs where all endpoints can be tested directly in the browser.

What does post-quantum cryptography mean?

Quantum computers will be able to break today's encryption in the future. KI-Shield therefore uses hybrid signatures: Ed25519 (classical) plus ML-DSA-65 (NIST FIPS 204, post-quantum secure). Every audit entry is dual-signed – so your compliance records remain verifiable for 10+ years.

GDPR • AI Act • Made in Germany

Use AI –
Protect Data.

KI-Shield automatically pseudonymizes personal data before it is sent to ChatGPT, Claude or Gemini – as an additional technical safeguard in accordance with GDPR Art. 25 and Art. 32. For law firms, medical practices and enterprises.

BYOK Principle: Your own API key – full cost control.

Start for Free Now →

No credit card required • 50 requests/month free

ki-shield ~ proxy

# Send client email to ChatGPT

$ ki-shield --scan "Review request"

# Sensitive data detected & filtered:

Client: Dr. James Mitchell → [PERSON_001]

E-Mail: mitchell@lawfirm.com → [EMAIL_001]

IBAN: DE89 3704 0044 ... → [IBAN_001]

✓ Request pseudonymized and forwarded to AI

Live Demo

Try It Yourself – in Real Time

Type on the left – see on the right what the AI receives instead. All personal data is automatically replaced with placeholders. No login required.

Your Input

Select a word to manually tag it as PII

What the AI Sees

Detected PII — click to remove

Tag as PII

Ø 30ms latency — real-time detection of 42 PII categories

Tip: Select a word in the input field & add it as PII • 46 recognizers • NER + Regex + Keyword

Start for Free Now → Plans from €0/month

AES-256-GCM Encrypted German Servers (Hetzner) GDPR Art. 25/32 & AI Act < 50ms Latenz BYOK – Your Own API Key Zero-Knowledge Storage + Browser ZK Mode

PII Categories Detected

10+

AI Providers Supported

<50ms

Average Latency

100%

German Servers (EU)

The Problem

AI Is Powerful – but a Data Protection Risk

Anyone who sends personal data to ChatGPT, Claude or Gemini without safeguards risks GDPR violations. The fines are severe.

Law Firms & Attorneys

Client names, case numbers, contract details – all sent unencrypted to OpenAI. A violation of attorney-client privilege.

Doctors & Hospitals

Patient names, diagnoses, medical reports – medical confidentiality protects this data. Using AI without pseudonymization can be a criminal offense.

Enterprises & Corporations

Customer data, financial figures, personnel records – GDPR fines up to €20 million or 4% of annual revenue.

€4.15B

GDPR fines since 2018 (EU-wide)

68% of companies already use AI tools – but only 23% have a data protection strategy for it.

Source: Bitkom Digital Office Index 2025

Get Protected Now →

Target Audiences

For Everyone Who Refuses to Compromise on Confidentiality

KI-Shield was built for industries where data protection is not optional – it is mandatory.

Law Firms & Legal Departments

Use AI for research, contract review and legal briefs – without exposing client data.

Contract analysis with ChatGPT
Case law research
Legal brief drafts

Doctors, Practices & Hospitals

AI-assisted documentation, medical letters and findings – without sending patient data to US servers.

Draft medical letters with AI
Finding summaries
Medical documentation

Tax Advisors & Auditors

Financial analyses, tax assessments and expert opinions with AI – client financials stay protected.

Review tax returns
Balance sheet analysis
Expert opinion drafts

Enterprises & HR

AI in HR, sales and customer service – without compromising employee or customer data.

Screen applications
Customer emails
Internal reports

Data Protection Officers

A tool you can confidently approve for AI usage across your organization.

Compliance reports
Tamper-proof audit log
Technical measures documentation

Software Companies

Integrate AI into your software without transmitting user data to third parties.

PII-Redaction REST API NEW
npm SDK + Swagger-Docs
On-premise available

More about the API →

How It Works

Protected AI Usage in 3 Steps

No code changes, no SDK. Just add your API key – done.

Add Your API Key

Sign up for free and add your own API key (OpenAI, Anthropic, Google & more). Your app sends requests to KI-Shield instead of directly to the provider.

Automatic Data Pseudonymization

Intelligent PII detection identifies names, emails, IBANs, diagnoses, case numbers and 37 more data types — 42 categories in total. Everything is pseudonymized with secure placeholders.

Re-hydrate the Response

The AI response comes back, placeholders are replaced with the original data. Nothing changes for you or your team.

Features

Enterprise Security, Easy to Use

Built for the strictest data protection requirements – usable without an IT department.

42 PII Categories Detected

From names and IBANs to diagnoses and case numbers to genetic data, union membership and criminal records – incl. GDPR Art. 9 & 10.

Automatic Re-Hydration

Pseudonyms in AI responses are automatically restored. Your team's workflow remains unchanged.

Quantum-Safe Audit Chain

Hybrid Ed25519 + ML-DSA-65 signatures — classically and post-quantum secured. Exportable as CSV/JSON. Perfect for data protection audits.

BYOK – Your Own API Key

Bring Your Own Key: Use your own API key for OpenAI, Anthropic, Google & more. Full cost control, no markups.

Real-Time Streaming (SSE)

Real-time streaming in Pro and Business plans. Pseudonymization happens in milliseconds – no noticeable difference.

Industry-Specific Rules

Custom filter rules for your industry: medical terminology, legal case numbers, financial data – individually configurable.

Choose the Right Plan →

42 Data Categories

The Most Comprehensive PII Detection

42 data categories – from names and IBANs to genetic data and union membership. Everything the GDPR protects, we detect.

Core Detection (16)

Person Email Phone IBAN Tax ID Date of Birth Date License Plate Social Security Address Health Data Location Organization Credit Card ID/Passport Nat./Rel./Pol.

Technical IDs (12)

IP Address BIC/SWIFT Vehicle ID (VIN) GPS Coordinates Driver's License Health Ins. No. Commercial Register Case Number MAC Address IMEI Number Secret/API-Key Diagnosis Code (ICD/OPS)

GDPR Art. 9 (7)

Special categories – processing prohibited

Genetic Data Biometrics Ethnic Origin Political Opinion Religion Union Membership Sexual Orientation

Life Areas (7)

Criminal Law (Art. 10) Children's Data Financial Data Employment Education Social Benefits Insurance

Compatibility

Works with All AI Providers

One Shield, all models. Switch AI providers without rebuilding your compliance setup.

OpenAI / ChatGPT Anthropic / Claude Google Gemini Mistral AI Meta Llama Cohere Groq DeepSeek Perplexity OpenAI-compatible APIs

For Developers NEW

PII Detection as REST API — for Your Software

The same engine that powers our chat proxy, as an API for developers. Detect, redact and pseudonymize personal data programmatically — with a signed compliance certificate for every request.

4 Endpoints, 1 API

/v1/detect, /v1/redact, /v1/pseudonymize, /v1/redact/zk — 42 PII categories, optimized for German and English texts.

Hybrid Compliance Certificate (Ed25519 + ML-DSA-65)

Every request receives a cryptographically signed certificate with a hybrid signature (classical + post-quantum) — verifiable, exportable, audit-proof.

Split/Zero-Knowledge Mode

Optional: Only hashes are sent to the server. Original data stays with you.

SDK & Swagger Docs

npm install ki-shield-sdk — TypeScript SDK + interactive API documentation at /api-docs.

curl — PII Detection API

$ curl -X POST https://ki-shield.de/v1/detect \

-H "X-API-Key: ks_live_xxx" \

-H "Content-Type: application/json" \

-d '{"text": "Max Mustermann, IBAN DE89..."}'

# Response:

{

"entities": [

{ "type": "PERSON",

"text": "Max Mustermann",

"score": 0.95 },

{ "type": "IBAN",

"text": "DE89...",

"score": 0.99 }

"certificate_id": "cert_a1b2c3"

}

curl -X POST https://ki-shield.de/v1/redact \

-H "X-API-Key: ks_live_YOUR_KEY" \

-H "Content-Type: application/json" \

-d '{

"text": "Herr Dr. Müller (Tel. 0171-1234567) wohnt in Berlin.",

"mode": "redact"

# => "Herr Dr. [PERSON] (Tel. [PHONE]) wohnt in [LOCATION]."

import

{ KiShield }

from

'ki-shield-sdk';

const shield = new KiShield({

apiKey: 'ks_live_YOUR_KEY'

});

const result = await shield.redact({

text: 'Max Mustermann, IBAN DE89...'

});

console.log(result.redacted);

// => "[PERSON], IBAN [IBAN]"

console.log(result.certificate_url);

// => "https://ki-shield.de/verify-page/cert_..."

View API Documentation Developer Dashboard

Legal Compliance

Legally on the Safe Side

Built for the strictest data protection requirements in Europe.

GDPR Art. 25 – Privacy by Design

Personal data is pseudonymized before leaving the EU jurisdiction. No data transfers to third countries without legal basis.

EU AI Act – Transparency Requirement

Complete documentation of every AI interaction. Traceable who sent what data to which AI provider and when.

German Servers (Hetzner, Nuremberg)

Processing exclusively in Germany. No US CLOUD Act, no FISA 702, no access by foreign authorities.

AES-256-GCM & Hybrid Signatures

All stored data AES-256-GCM Encrypted (Authenticated Encryption). Audit-Log mit hybriden Ed25519 + ML-DSA-65 Signaturen (post-quantum-sicher) und Hash-Chain für manipulationssichere Dokumentation.

Start for Free →

Our USP

Zero Knowledge – two modes, one goal: your data stays yours

Server-ZK: All stored data is encrypted with your password (Argon2id + AES-256-GCM). No re-identification possible if database is accessed. Browser-ZK (NEU): PII detection and encryption run entirely in your browser – the server never sees plaintext, not even in memory.

zero-knowledge ~ architecture

# Your password generates the key

Password + Salt → Argon2id → 256-bit DEK

# Mode 1: Server ZK (default)

✓ Your browser: yes (session)

✓ RAM (Redis): temporary, volatile

✗ Database/Disk: never

# Mode 2: Browser ZK (NEW)

✓ Your browser: PII detection + encryption

✗ Server RAM: sees only pseudonyms

✗ Datenbank: ciphertexts only

✗ Operator: no access, ever

# What an attacker sees in the DB

Message: gcm$V4cPxqW29k3nR0Z8tzK7vHE2qF1mNpR5...

Title: gcm$QoFXjPwTmR9h2YLzNcK8vHE3qB1nMpR5...

Without password: ✗ all unreadable

Password-Based Key (Argon2id)

From your password, a 256-bit encryption key is derived via Argon2id – the strongest password hashing algorithm. This key exists only in volatile memory.

Operator Cannot View Stored Data

Without your password, no one can decrypt the stored data – not us, not an attacker, not a government agency. Note: During active processing, data briefly exists in plaintext in volatile memory — without storage, logging or disclosure. Processing exclusively on German servers.

Recovery Key as Safety Net

In your account settings, you can create a recovery key at any time. If you forget your password, use it to restore your data. Without recovery key and password: data is irretrievably lost.

Everything Encrypted – AES-256-GCM

Chat messages, conversation titles, API keys, audit logs – everything is AES-256-GCM encrypted with your personal key. Each user has their own key.

New

Browser ZK Mode – True Zero Knowledge

In Browser ZK mode, your plaintext data never leaves your browser. PII detection, pseudonymization and AES-256-GCM encryption run entirely locally. The server only sees pseudonymized data – at no point, not even in RAM.

Local PII Detection

25,000+ German first and last names, organization dictionary (DAX, banks, government agencies), IBAN, email, phone, health data – all rule-based detection in the browser.

Browser Encryption

AES-256-GCM via WebCrypto API. Key is derived from your ZK password via PBKDF2. Pseudonym mappings are stored encrypted on the server – recoverable only with your password.

BYOK – Your Key

Exclusively your own API key (BYOK). No server key, no fallback. Full cost control and data sovereignty – the server is just a pseudonymized proxy.

All plans (incl. Free) No installation One click in settings

Other Providers

Operator can read all data
Database theft = data compromised
Government request = disclosure possible
"Trust us" as security model

KI-Shield Zero-Knowledge Storage

Zero-knowledge storage – operator cannot view stored data
Database theft = worthless ciphertexts
Government request = stored data unreadable
Cryptography instead of trust
Browser ZK: Server never sees plaintext NEW

Experience Zero-Knowledge Mode →

Future-Proof

Post-Quantum Cryptography – ready for tomorrow

Quantum computers will be able to break classical encryption. KI-Shield already protects your audit chain today with hybrid signatures – both classical and quantum-safe.

audit-chain ~ hybrid signature

# Every audit entry is dual-signed

# 1. Classical signature (secure today)

Ed25519: 7b2e9f4a...c8d1

✓ Key: 256 bit

# 2. Post-quantum signature (secure tomorrow)

ML-DSA-65: a3f8b2c1...e7f9

✓ Standard: NIST FIPS 204

# Hash chain (tamper-proof)

SHA-256: prev_hash → content → next

✓ Hybrid signature verified

ML-DSA-65 (FIPS 204)

The NIST-standardized post-quantum algorithm (formerly CRYSTALS-Dilithium). Resistant to attacks from quantum computers – including future ones.

Hybrid Signatures – Double Security

Every audit entry is dual-signed: Ed25519 (classical, proven) and ML-DSA-65 (post-quantum). Even if one algorithm is broken, the other protects.

Tamper-Proof Audit Chain

SHA-256 hash chain links every entry to the previous one. Tampering with a single entry breaks the entire chain – immediately detectable, even after years.

EU Regulation Compliant

The BSI and the EU recommend transitioning to post-quantum cryptography. With KI-Shield, you are already compliant – before it becomes mandatory.

Why Post-Quantum Now?

Attackers can store encrypted data today and decrypt it later with quantum computers (Harvest Now, Decrypt Later). Audit logs often need to remain verifiable for 10+ years. That is why KI-Shield already signs quantum-safe today – so your compliance records are still valid in 2035.

Market Analysis

Trust-as-a-Service – the Verification Economy

Verifiable trust is becoming the scarcest resource in the digital world. KI-Shield provides the cryptographic infrastructure that enterprises need to use AI in a demonstrably secure way.

26,8

Mrd. USD Verifizierungsmarkt bis 2031

Gartner / MarketsandMarkets

169

B USD sovereign cloud by 2028

Gartner IaaS Prognose

57%

expect turbulent global conditions by 2028

World Economic Forum

42,8%

CAGR deepfake detection

Mordor Intelligence

Why Trust Is Becoming Infrastructure

The World Economic Forum identifies misinformation and disinformation as the most dominant risk over the next two years. AI-generated deepfakes, synthetic evidence and AI poisoning are destroying trust in digital information.

At the same time, cloud fragmentation is forcing companies to split their AI architectures across sovereign zones. 60% of multinational companies must geopatriate their AI infrastructure by 2028 (IDC).

Gartner warns: Companies that fail to invest in digital provenance by 2029 risk compliance damages in the billions.

Read the Full Market Analysis

16-page analysis with data from WEF, CFR, McKinsey, Gartner and IDC – the foundation for KI-Shield.

Macroeconomic Projections to 2028 →

trust ~ ki-shield stack

$ ki-shield --trust-stack

# Layer 1: PII Protection

42 Kategorien detected & pseudonymized

✓ Zero-Knowledge-Speicherung – we never see plaintext data

✓ Browser-ZK – plaintext never leaves the browser

# Layer 2: Cryptographic Proof

Ed25519 + ML-DSA-65 Hybrid Signature

SHA-256 Hash-Chain (manipulationssicher)

# Layer 3: Blockchain Anchoring

Polygon PoS – daily anchor

✓ Publicly verifiable, immutable

# Layer 4: Sovereignty

100% German infrastructure

No US cloud. No data transfer. GDPR-native.

# Layer 5: Audit Compliance

WORM-Archive + eIDAS-Zeitstempel

✓ Probative for regulatory authorities

→ All 5 protection layers active

Patent Filed

System and method for pseudonymized AI usage with zero-knowledge architecture

The 5 Capital-Critical Sectors by 2028

Energy & Cooling

$6.7T by 2030

Verification Economy

KI-Shield

Sovereign Cloud

$169B by 2028

Critical Infrastructure

$106T by 2040

Nearshoring

Supply chain autonomy

Transparency

What KI-Shield Can – and What It Cannot

We communicate our limitations openly. Only those who acknowledge their limits deserve trust.

What KI-Shield Does

Automatic pseudonymization of 42 PII categories using NER, regex, keyword and context analysis
Additional technical safeguard per GDPR Art. 25/32
Encryption of all stored data (AES-256-GCM)
Tamper-proof audit log with cryptographic signatures
Manual tagging for data not automatically detected

What You Should Know

Stylometric features (writing style, sentence patterns) and purely combinatorial re-identification are not automatically detected – for this we offer manual tagging as a supplement
Data is processed exclusively in volatile memory on German servers – without storage or logging of plaintext
KI-Shield is a technical safeguard (TOM) per GDPR Art. 25/32 – as part of your data protection concept

Data Processing Agreement (DPA)

As a data processor, KI-Shield provides a DPA in accordance with GDPR Art. 28. The DPA is automatically made available upon account creation.

KI-Shield complements your existing compliance strategy as an additional technical and organizational measure (TOM) – it does not replace a DPA with your AI provider.

Frequently Asked Questions

Answers for Decision Makers

The most important questions about data protection, technology and costs – answered clearly.

Without additional safeguards, using ChatGPT in law firms is problematic, as personal client data is transmitted to servers in the USA. KI-Shield reduces this risk through automatic pseudonymization: all identifiable personal data is replaced with placeholders before being sent to the AI.

Patient data is protected by medical confidentiality and the GDPR. Without pseudonymization, no patient data may be transmitted to AI providers. KI-Shield automatically pseudonymizes all sensitive data – patient names, diagnoses, insurance numbers – before it leaves your practice.

Yes, KI-Shield operates on the BYOK principle (Bring Your Own Key). You add your own API key. Advantage: Full cost control, no markups on token costs.

No. KI-Shield is API-compatible with over 10 AI providers. You simply change the API URL – instead of sending directly to OpenAI, requests go through KI-Shield. Integration in under 5 minutes.

Exclusively on German servers at Hetzner in Nuremberg. No US CLOUD Act, no FISA 702. Original data never leaves the KI-Shield server in the EU.

Der Free-Plan is permanently free (50 requests/month). Der Pro-Plan costs €99/month net. Der Business-Plan costs 349€/month with OpenRouter and Compliance reports. Der Enterprise-Plan starts at €1,999/month with RBAC API keys, PII-Redaction REST API, dedicated support, 99.9% SLA and on-premise option. On top, only your own AI costs with the provider (BYOK). No minimum contract period.

Yes. KI-Shield meets the transparency and documentation requirements of the EU AI Act. Every AI interaction is logged in the audit trail. The audit log is exportable (in Pro and Business plans).

KI-Shield offers two zero-knowledge modes: Server-ZK – the mapping table is encrypted with your password (Argon2id, 256-bit), all data stored AES-256-GCM encrypted. During processing, data briefly exists in server RAM (without storage or logging). Browser-ZK (NEW) – PII detection, pseudonymization and AES-256-GCM encryption run entirely in your browser. The server never sees plaintext – not even in RAM. Available for all plans, one click in settings.

42 PII categories in 4 groups: Core (names, email, phone, IBAN, tax ID, credit card, address, etc.), Technical (IP address, IMEI, MAC, GPS, driver license, etc.), GDPR Art. 9 (genetics, biometrics, ethnicity, politics, religion, union membership, sexuality) and Art. 10 + Life Areas (criminal law, children data, finances, employment, education, social benefits, insurance).

KISHIELDCAM — EXCLUSIVE FROM BUSINESS

KiShieldCam Feature

Auditor Access for External Reviewers

Give data protection officers, auditors or government agencies temporary read access to your evidence chain — without password sharing, without risk.

KiShieldCam — Auditor-Token

// Create token

Label: "TÜV Audit Q1"

Valid: 7 days

✓ Token generated

aud_k7x9m2p4r8...

Create Token

One click in the app. Choose a label and validity (1–30 days). Revocable at any time.

Copy link

ki-shield.de/verify
?token=aud_k7x9m2...

Link copied!

E-Mail

Expires: March 27, 2026

Share Link

Copy and send via email. The reviewer needs no account and no installation.

Audit-Report (Read-Only)

Audit entries 247

Hash-Chain ✓ Intakt

Signaturen ✓ 247/247

Blockchain ✓ Verifiziert

Status COMPLIANT

Reviewer Verifies

Full read access to the evidence chain. Signatures, hashes, blockchain — everything verifiable.

Zero Trust

No password sharing. Token-based.

Time-Limited

1–30 days. Automatically expires after.

Instantly Revocable

One click — access immediately revoked.

Read-Only

Read only. No writing, no deleting.

Teil von KiShieldCam — court-proof evidence photos & videos

More about KiShieldCam

Who We Are

The Team Behind KI-Shield

No startup theater. Two people, one product.

team ~ ki-shield

$ whoami --team

JOHANNA

Role: UX Design · Social Media · Branding

Focus: User experience, visual design, communication

Status: ████████████ active

RENÉ

Role: Datenbank · Backend · AI Automation

Focus: Architecture, cryptography, PII pipeline