How can we help?

You can delete or archive chats you no longer need to keep your overview tidy.

Delete Chat

1. Hover over the chat entry in the sidebar.
2. Click the trash icon (or right-click → Delete).
3. Confirm the prompt — the chat will be irrevocably removed.

Archive Chat

1. Right-click on the chat → Archive.
2. The chat is removed from the active list but remains accessible under Archive.

The sidebar shows all active chats sorted chronologically. Here is how to keep an overview with many conversations:

• Quick search: Use the search field at the top of the sidebar to filter chats by title or content.
• Sorting: Chats are automatically sorted by last activity — the newest appears at the top.
• Pin: Important chats can be permanently pinned to the top via right-click → Pin.
• Drag & Drop: Drag chats in the sidebar to manually adjust the or.

You can share individual chat conversations with colleagues or external partners:

1. Open the desired chat.
2. Click the share icon (arrow up) in the top right.
3. Select the sharing option:
   • Read-only link: Recipients can view the history but cannot make changes.
   • Export as PDF: Generates a PDF document for sending (see also article 48).

Each chat can be individually configured. Click the gear icon next to the chat title:

PII stands for Personally Identifiable Information — all data that can directly or indirectly identify a person: Namen, email addressn, Phone numbers, IBANs, Tax IDs and viele more.

KI-Shield detects PII automatically in Real time, before your message an the AI provider gesendet is:

1. NER (Named Entity Recognition) — AI-based detection using spaCy and two specialized GLiNER models for German text
2. 44 specialized recognizers — Regex-, Keyword- and context-basierte detection for deutsche PII-Typen
3. validation — check digits (IBAN, Kreditkarte, Tax ID), plausibility checks and false positive filters

Detected PII is color-coded in the chat input field. When sending, it is replaced by pseudonyms (e.g. Max patternmann → PERSON_547). The AI response is translated back, so that you the original data sehen — the AI provider however nie.

KI-Shield detects 42+ PII-categories with 44 specializedn recognizersn:

Personal data

Financial data

ID documents & IDs

GDPR Art. 9 — Special categories

Weitere categories

Technical identifiers

PII detection is enabled by default and is shown through the shield icon in the chat header (GDPR protection active).

How to enable/disable PII detection:

1. Click the Schild-Symbol in the chat header
2. Der Status toggles between active (green) and inactive (gray)

When detection is active, you see colored highlights in the input field for detected PII and Zaehler-Chips like 2x Person, 1x IBAN in the Statusleiste.

Every PII-detection has a Confidence-Score zwischen 0.0 and 1.0, the angibt, like securely the System is, that es sich tatsaechlich um PII handelt.

KI-Shield uses a threshold of 0.7 (70 %). Only detections with a score ≥ 0.7 are treated as PII:

The threshold of 0.7 provides the best balance: It reliably detects real PII while avoiding too many false alarms. Detections areen through mehrere unabhaengige Methoden (NER, Regex, Keyword) validated, was the Genauigkeit additionally erhoeht.

Occasionally a word may be falsely detected as PII. KI-Shield offers several ways to correct this:

Im input field

• PII remove: Click the color-codede PII-Markierung and choose you "Entfernt" — the text is excluded from protection (visible as crossed-ochener Chip)
• Restore: Click the crossed-out chip to restore the protection

In gesendeten messageen

• Click the Badge "X PII geschuetzt" of a message
• Select the betroffene detection from
• Reklassifizieren: Weisen you the korrekten PII-Typ zu (Dropdown-Menue)
• Kein PII: Melden you the detection as False Positive

KI-Shield bietet im PRO-Plan and higher the Möglichkeit, the PII-detection individuell anzupassen. So you can eigene pattern definieren or bestehende Regeln verchange, um the detection optimal on your requirements abconsent.

Create custom PII patterns

1. Navigate to Settings → dataschutz → PII-Regeln.
2. Click "Neue Regel add".
3. Select the Erkennungstyp: Regex (regulärer Ausdruck), Keyword-Liste or context-basiert.
4. Enter the pattern a — e.g. a Regex for internal employee numbers: MA-\d{5,8}.
5. Weisen you a PII-Kategorie zu (e.g. REFERENCE_NUMBER) and setzen you a Confidence-Score.

Bestehende Regeln anpassen

Each of the 44 predefined recognizers can be individually activated or deactivated. For example, you can deactivate LOCATION detection if you frequently deal with Orte schreiben, the keine PII darstellen. Open dazu the jeweilige Regel and setzen you the Schalter on "Inaktiv".

contextwörter expand

Many recognizers use contextwörter, um the detection zu improve. you can eigene contextwörter add — beispielsweise branchenspezifische Begriffe like "Patientennummer" or "clientenkennung". This increase the Confidence-Score, when sie in the Nähe eines potentiellen PII-Treffers auftreten.

Wenn KI-Shield a Text fälschlicherweise as PII detects, you can dies on mehreren Wegen report and korrigieren. your Feedback hilft, the detection kontinuierlich zu improve.

Direkte Korrektur im Chat

1. Click the color-codede PII-Markierung im input field.
2. Select "Kein PII", um the detection as False alarm zu mark.
3. Der Text is for these message not more maskiert (visible as crossed-ochener Chip).

Nachträgliche Korrektur in gesendeten messageen

1. Click the Badge "X PII protected" of a already gesendeten message.
2. Select the betroffene detection from the Liste.
3. Reklassifizieren: Weisen you the korrekten PII-Typ via the Dropdown-Menü zu.
4. Als False Positive report: Select "Kein PII" and bestätigen you.

Globale Ausnahmeliste (Whitelist)

Im PRO-Plan you can under Settings → dataschutz → exceptions Wörter or Phrasen permanently von the detection ausschließen. So avoid you recurring false alarms at technical terms, product names or internal designations.

KI-Shield bietet im PRO-Plan umfassende PII-Statistiken and Reports, the Ihnen a detaillierten Überblick via all detecteden personenbezogenen data geben.

Dashboard-Übersicht

• KPI-Karten: requests gesamt, PII-detections (absolut and in Prozent), success rate and error rate on a Blick.
• 7-Tage-Verlauf: line chart with requests (blau) and detecteder PII (rot) im timeline.
• Top-10 PII-categories: Balkendiagramm the häufigsten PII-Typen with Prozentwerten.
• PII-Verteilung: Donut-Chart with Kategorie-Anteilen for a visuelle Übersicht.

period-Filter

Select zwischen Heute, Woche, Monat or Gesamt. Das Dashboard updated sich automatically all 60 Sekunden, so that you stets currente data sehen.

Compliance-Reports exportieren

Under Compliance → Create report you can generate a Art. 30-compliant GDPR report. This contains: period, Anzahl the requests, blockede PII nach Typ, Top-Provider, error rate and a compliance score (heuristic based on PII-usage and error rate).

Die PII-detection von KI-Shield is currently primär on Deutsch optimiert. Das System nutzt specialized deutsche NLP-Modelle and pattern, detects but also viele universelle dataformate sprachunabhängig.

Deutsche detection (volle support)

• spaCy-Modell: de_core_news_lg — deutsches Large-Modell for Named Entity Recognition.
• GLiNER-Modelle: Zwei specialized Modelle (SauerkrautLM-GLiNER) for deutsche PII-detection.
• 44 recognizers: All pattern, Keywords and contextwörter are on deutsche Formate zugeschnitten (e.g. 5-stellige PLZ, 11-stellige Tax ID, deutsche Straßennamen).

Sprachunabhängige detection

Folgende PII-Typen are unabhängig von the inputsprache zuverlässig detected, da sie on strukturellen patternn basieren:

• email addressn (incl. internationalisierte Domains)
• IBAN (all Ländercodes with MOD-97-Prüfung)
• IP-Adressen (IPv4 and IPv6)
• Credit card numbers (Luhn-validation)
• GPS-Koordinaten, MAC-Adressen, IMEI-Nummern

Limitations with other languages

Bei englischen or anderssprachigen Texten works the NER-detection for Namen, Orte and Organisationen only eingeschränkt, da the KI-Modelle primär on Deutsch trainiert are. Für fremdsprachige Texte empfehlen we, sensitive data additionally manually zu mark (siehe Artikel 45).

Wenn Text unerwartet as PII markiert is, gibt es mehrere moegliche Gruende:

1. context-basede detection

Many recognizers use the surrounding context (bis zu 80 characters). Ein Keyword like "Diagnose" or "Salary" can dazu fuehren, that the entire sentence as HEALTH_DATA or FINANCIAL_DATA detected is.

2. Keyword-pattern

Die GDPR-Art. 9-categories (Gesundheit, Religion, Politik etc.) verwenden umfangreiche Keyword-Listen. Wenn your text a solches Keyword enthaelt, is the context mitmarkiert — also when you not about a bestimmte Person schreiben.

3. NER-Modell-detection

The AI models (spaCy, GLiNER) may interpret words as personal names or places that are not PII in context. The false-positive filter catches many of these, but not all.

Was you tun can

• Click the markierte PII and choose you "Kein PII", um sie as False Positive zu report
• Remove the Markierung for these message ("Entfernt"-Chip)
• Formulieren you the Text um, when moeglich

KI-Shield PII detection currently works text-based in the chat input field. There is currently no direct file upload funktion for PII-Scans.

Workaround: Text from Dokumenten verify

1. Copy the relevanten Text from your Dokument (PDF, Word, E-Mail etc.)
2. Fuegen you ihn in the chat input field a
3. Die PII-detection analysiert the Text automatically in Real time
4. Detected PII is color-coded highlighted, before you the message send

Zero Knowledge bedeutet: KI-Shield you canr storeden data not lesen — selbst when jemand vollen access on the server erhaelt.

So works es

1. Bei the login is from your password a Data Encryption Key (DEK) derived
2. All your data (Chats, PII-Mappingen, API-Keys) are with diesem DEK encrypted
3. The DEK is nie permanently stored — er exists only im memory waehrend Ihrer session
4. Bei logout is the DEK immediately deleted

The Data Encryption Key (DEK) is the core of the zero-knowledge architecture:

keyableitung

Lebenszyklus

1. Login: password + Salt → Argon2id → DEK (256 Bit)
2. session: DEK is in Redis stored (max. 24 h TTL)
3. usage: All Lese-/Schreiboperationen use the DEK for Fernet-encryption
4. Logout: DEK is deleted from Redis, memory overwritten

Da derselbe password + Salt always denselben DEK generates, you can sich again anreport and your data decrypt — without that the key ever stored wurde.

Your data is an zwei Orten processed:

PostgreSQL (permanently, encrypted)

Redis (temporary, volatile)

your DEK is ausschliesslich in Redis stored (max. 24 h), nie on Festplatte. Bei Logout or Session-Ablauf is er automatically deleted.

Backup

All 6 hours is a encrypteds Backup on a georedundanten Backup-Server transferred. Since the data already encrypted are, are also the Backups without your DEK not readable.

Nein. Dank the Zero-Knowledge-Architektur can neither KI-Shield still a Server-Administrator your storeden Chats lesen.

Warum not?

• Kein storeder key: The DEK is derived from your password and exists only im RAM waehrend Ihrer session
• Kein stiller Fallback: Wenn kein DEK vorhanden is, verweigert the System the access with HTTP 401 — es faellt not on a Server-key zurueck
• Keine server-sidee Search: Die Search in encrypted conversationstiteln is technisch deactivated
• Audit-Logs geschuetzt: plaintext-Felder are through [encrypted] ersetzt; only the encrypted Version bleibt

Was the server sehen can (Metadaten)

• Dass a message gesendet wurde (timestamp, messageenanzahl)
• PII-Typ-Statistiken (e.g. "2x PERSON, 1x IBAN" — but not the Werte)
• Hash-Chain-signatures (for integrity verification)
• email address and name (for account management)

Since your DEK from the password derived is, has a password loss direct consequences for your encrypted data.

Szenario 1: You have a Recovery Key

Verfuegbar im PRO and BUSINESS Plan:

1. Bei the password reset geben you your recovery key a
2. Das System decrypted your alten DEK with the Recovery Key
3. Ein neuer DEK is from the neuen password derived
4. All data are automatically with the neuen DEK neu encrypted
5. Kein dataverlust

Szenario 2: Kein Recovery Key vorhanden

1. your account remains preserved (E-Mail, Name)
2. All encrypted data are irrevocably deleted: conversationen, messageen, PII-Mappingen, API-Keys
3. Die Audit-Log-signatures remain for the chain integrity preserved
4. Ein neuer Salt is generated — the alte DEK can nie wieder rekonstruiert are

Beide Konzepte schuetzen your data, funktionieren but unterschiedlich:

Warum Zero Knowledge statt E2E?

KI-Shield must your text server-side analyze, um PII zu detect and zu pseudonymize, before er an the AI provider geht. Reine E2E-encryption would dies impossible machen. Stattdessen verwendet KI-Shield Zero Knowledge at Rest:

• During the active session, text is processed in RAM (PII detection, pseudonymization)
• After the processing are all data encrypted stored
• Without an active session (= without DEK) the data is not readable

KI-Shield implementiert the requirements the GDPR (dataschutz-Grundverordnung) and of the EU AI Act completely:

Data subject rights

Technisch-organisatorische Massnahmen (Art. 32)

• access control: SSH-Key-Auth, Fail2Ban, 2FA for admin access
• access control: RBAC, API-Key-Auth, TOTP-2FA, bcrypt-password-Hashing
• encryption: TLS 1.3, Zero-Knowledge-DEK, Ed25519 + ML-DSA-65 Hybrid-signatures, SHA-256-Hash-Chain
• availability: Automatische Backups all 6h, georedundanter Backup-Server, Chain-Monitoring with Telegram-Alerts

third-country transfers (Art. 44–49)

Bei usage von KI-Providern outside the EU (e.g. OpenAI/USA, DeepSeek/China) are you explicitly gewarnt and must the data transfer consent. EU-Provider like Mistral are preferably recommended. Durch the PII-pseudonymization leave personal data the server fundamentally not im plaintext.

EU AI Act

Beim ersten Login is a consent zum AI Act displayed. KI-Shield dokumentiert all KI-Interaktionen with audit-proofen Audit-Logs (Ed25519 + Post-Quantum ML-DSA-65 Hybrid-signatures).

Die Audit-Chain is a cryptographic secured protocol chain, the jeden API-Request completely dokumentiert. you works like a private Blockchain:

1. Content-Hash: Aus the Metadaten jedes Requests (Provider, Modell, PII-Typen, Status, Latenz etc.) is a SHA-256-Hash berechnet
2. Verkettung: Jeder Entry references the Hash seines Vorgaengers (previous_hash). Der erste Entry has previous_hash = "GENESIS"
3. Hybrid signature: Each entry is double-signed:
   • Ed25519 — Classical signature (primary, mandatory)
   • ML-DSA-65 — Post-quantum signature per NIST FIPS 204 (secondary, future-proof)
4. Write-Time Verification: signatures are immediately nach Erzeugung verified — korrupte entries gelangen nie in the Chain

Audit-Logs are im BUSINESS-Plan about the Tab "Audit-Logs" in the sidebar zugaenglich.

Ansicht

• 25 entries per page with page navigation
• Jeder Entry zeigt: timestamp, Aktion (farbcodiert), Provider, Modell, PII-Anzahl, Status, Latenz

Farbcodierung

Filter

• Freitext-Search about all Felder
• Von/Bis-Datum for period-Eingrenzung
• Aktionstyp (Request, Stream, Response, Analyse, Feedback)

On the Dashboard all users see a compact audit trail preview with chain status and the lasten entriesn.

KI-Shield verankert the Status the Audit-Chain periodisch on the Polygon-Blockchain (Mainnet). So is the integrity publicly and immutably dokumentiert.

Was is stored?

Eine Self-Send-Transaktion (Wert = 0) with a JSON-Payload im datafeld:

{
  "type": "ki-shield-anchor",
  "version": 1,
  "anchor_hash": "sha256...",
  "chain_hash": "sha256...",
  "chain_length": 12345
}

Ablauf

1. Aktueller chain status is geladen (letzter Hash, chainnlaenge)
2. Anchor-Hash = SHA-256 von Chain-Hash + chainnlaenge + timestamp
3. Anchor is with Ed25519 + ML-DSA-65 signed
4. Optional: eIDAS-timestamp is generates
5. Transaktion is on Polygon geschrieben (bis zu 3 Versuche)

Oeffentliche Verifikation

Anyone can verify anchors — without login or API key:

• GET /api/v1/anchor/latest — Letzter Anchor
• GET /api/v1/anchor/verify/{id} — Anchor verify
• GET /api/v1/verify/chain-status — chain integrity

Audit-Logs can as CSV or JSON exported are. Dies is a PRO-Feature.

So exportieren you

1. Open the Tab "Audit-Logs"
2. Optional: Set Datum-Filter (Von/Bis)
3. Click oben rechts on "JSON" or "CSV"
4. The file is automatically downloaded

Enthaltene Felder

ID, timestamp, Session-ID, User-ID, Aktion, Provider, Modell, PII-Typen (JSON), PII-Anzahl, Status, Latenz (ms), geschaetzte Tokens, Content-Hash, Signatur, Previous-Hash

Limit: Maximal 10.000 entries pro Export. For groessere Zeitraeume use the Datum-Filter zur Segmentierung.

Der AVV regelt the datenschutzrechtliche Zusammenarbeit zwischen Ihnen (Controller) and KI-Shield (Processor) gemaess GDPR Art. 28.

Content (Version 1.0)

Der AVV umfasst 10 Paragraphen:

1. Gegenstand and Dauer the processing
2. Art and Zweck the processing
3. categories personenbezogener data
4. categories betroffener Personen
5. Technisch-organisatorische Massnahmen (Art. 32)
6. Pflichten of the Processors
7. Unterauftragsverarbeitung
8. Rechte the betroffenen Personen
9. Deletion and Rueckgabe von data
10. Haftung

Processor: KI-Shield UG
Unterauftragnehmer: Hetzner Online GmbH (Dedicated Server, Nuernberg, Deutschland)

AVV digital sign

1. Click in the sidebar on "AVV"
2. Lesen you the Vertragstext
3. Fuellen you the Formular from:
   • Name of the Signers
   • email address
   • company
   • Position (e.g. Data Protection Officer)
4. Click "AVV sign"

What happens with the signature

KI-Shield created a cryptographic signature proof:

• Deterministischer Payload: AVV-Version + User-ID + Document hash + Signer-data + timestamp
• Ed25519-Signatur about the SHA-256-Hash of the Payloads
• Gespeichert are: Signatur, IP-Adresse, User-Agent, exakter timestamp

AVV download

After the Unterzeichnung erscheint a "Download"-Button. you preserved a Printable HTML document with:

• Complete contract text
• Agreement ID
• Document hash (SHA-256)
• Ed25519-Signatur
• Name and Datum of the Signers

KI-Shield offers multiple compliance report formats for different plan tiers:

Compliance-Dashboard PRO

• dataschutz-Status (PII-detection, Zero Knowledge, Post-Quantum, Audit-Chain)
• EU AI Act Compliance: Artikel-Status (Erfuellt/Teilweise/Offen)
• processingsverzeichnis nach Art. 30 GDPR
• TOM-overview (Art. 32): encryption, Zugriffskontrolle, availability
• chain integrity with Signing key-Fingerprints

GDPR Report BUSINESS

• Art. 30-konformer Report: period, Requests, PII blocked (nach Typ), Top-Provider, error rate
• compliance score (heuristic: 100 % Basis, Abzuege at fehlender PII-usage or hoher error rate)
• PDF-Export: Button "Compliance-Report (PDF)" generated a druckbares Dokument

Auditor access BUSINESS

Create temporary Auditor-Tokens for externe auditors (1–30 days valid, at any time revocable). Auditoren preserved access on Compliance-Report and chain entries — without encrypted content (Zero Knowledge bleibt maintained).

KI-Shield ensures Revisionssecurelyheit through 8 interlocking Mechanismen:

KI-Shield's Audit-Chain erfuellt the evidencepflichten regulatedr Industries:

Finanzbranche

• MiFID II / MaRisk: Complete Logging aller AI-supported Entscheidungsprozesse
• PII-Schutz: 42+ categories incl. IBAN, Kreditkarte, Tax ID with check digits-validation
• Export: CSV/JSON for Wirtschaftspruefer and BaFin-requests

Gesundheitswesen

• GDPR Art. 9: Besonderer Schutz for Gesundheitsdaten (350+ medizinische Keywords)
• pseudonymization: Patient data are never in plaintext an KI-Provider gesendet
• Audit-evidence: Every Interaktion with timestamp, PII-Typen and cryptographicr Signatur

Rechtsbranche

• clientengeheimnis: Zero-Knowledge-Architektur schuetzt vertrauliche Client data
• Aktenzeichen-detection: Gerichtliche Aktenzeichen and Handelsregisternummern are detected
• Revisionssecurelyheit: Kryptographisch signede Chain for evidencezwecke vor Gericht

Auditor access

Create temporary Auditor-Tokens (BUSINESS) for externe auditors. Auditoren can chain integrity and compliance score verify, without access on encrypted content.

API-Keys ermoeglichen the programmatische usage von KI-Shield and are im ENTERPRISE-Plan available.

Create key

1. Open Settings → API-Keys
2. Click "Create new API key"
3. Assign a Namen (e.g. "Production")
4. Select the role: readonly, user or admin
5. Optional: Expiration date (7, 30 or 90 Tage; or unlimited)
6. Copy the Key — er is only einmal displayed!

Key-Format

Keys begin with kp- followed by 32 random characters. In the database is only the SHA-256-Hash stored (Write-Only).

Verwendung

curl -H "X-API-Key: kp-IhrKey..." \
     https://ki-shield.de/api/v1/health

KI-Shield bietet automatically generatede, interactive API documentation:

18 API-Tags

Die Endpunkte are in 18 areas gruppiert: Health, Chat, Analyze, Audit, Auth, Conversations, API Keys, Providers, PII Patterns, Feedback, Dashboard, Billing, Config, License, AVV, Anchor, Verify, Contact.

KI-Shield bietet ~75 API-Endpunkte. Die wichtigsten nach Kategorie:

Kern-Endpunkte

conversationen

Audit & Compliance

Vollstaendige Dokumentation: /docs (Swagger) or /redoc (ReDoc).

KI-Shield offers two access methods with different characteristics:

API-Keys have a rollenbasiertes permissionssystem (RBAC) with drei Stufen:

Defense-in-Depth

• Ein DB-Key with role admin erhaelt effektiv only Admin-Rechte, when the zugehoerige User also is_admin=True has
• Only admin users can create admin keys
• Abgelaufene Keys are at the authentication automatically abgewiesen
• last_used is at every usage updated

Globales Rate-Limit

300 requests pro Minute pro API-Key (or pro IP without Key). Algorithmus: Sliding Window about Redis.

Response-Header

X-RateLimit-Limit: 300
X-RateLimit-Remaining: 287

Bei Ueberschreitung (HTTP 429)

{
  "error": "Rate limit exceeded",
  "detail": "Maximal 300 requests pro Minute",
  "retry_after_seconds": 60
}

Spezielle Limits

Chat-spezifische Errorcodes

KI-Shield unterstuetzt currently eingehende Webhooks for the Stripe-Zahlungsintegration:

Ausgehende Webhooks

Aktuell bietet KI-Shield keine ausgehenden Webhooks an (e.g. at PII-detection or Audit-Events). For Real time-Monitoring empfehlen we:

• Polling: Periodisches Abfragen von /api/v1/audit/logs
• Health-Check: /api/v1/health for Trust-Status
• Telegram-Bot: Chain-Monitoring with automaticallyen Alerts (server-side configured)

KI-Shield unterstuetzt the manuallye Key-Rotation for maximale security:

Recommendedr Rotations-Workflow

1. Neuen Create key (about UI or API)
2. Integration aktualisieren — Neuen Key in Ihrer Anwendung store
3. Test — Check that the new key works
4. Alten Key widerrufen — PATCH /api/v1/api-keys/{id}/revoke
5. Optional: Alten Key loeschen — DELETE /api/v1/api-keys/{id}

Automatische Ablauffristen

Set at the Key-Erstellung a Expiration date:

• 7 days — For temporary Tests
• 30 Tage — Regelmaessige Rotation
• 90 Tage — Standard for Productionsumgebungen
• Unlimited — Only with active manual rotation recommended

Health-Check (kein Auth)

curl https://ki-shield.de/api/v1/health

PII-Analyse

curl -X POST https://ki-shield.de/api/v1/analyze \
  -H "Content-Type: application/json" \
  -H "X-API-Key: kp-IhrKey..." \
  -d '{"text": "Max patternmann, IBAN DE89370400440532013000"}'

Chat-Completion (not-streaming)

curl -X POST https://ki-shield.de/api/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "X-API-Key: kp-IhrKey..." \
  -H "X-Provider-Key: sk-IhrOpenAIKey..." \
  -d '{
    "messages": [{"role":"user","content":"Hallo"}],
    "provider": "openai",
    "model": "gpt-4o",
    "stream": false
  }'

Chat-Completion (Streaming)

curl -X POST https://ki-shield.de/api/v1/chat/completions \
  -H "Content-Type: application/json" \
  -H "X-API-Key: kp-IhrKey..." \
  -H "X-Provider-Key: sk-IhrOpenAIKey..." \
  -d '{"messages":[{"role":"user","content":"Erklaere GDPR Art. 17"}],
       "provider":"openai","model":"gpt-4o","stream":true}'

Provider-Liste abrufen

curl https://ki-shield.de/api/v1/providers \
  -H "X-API-Key: kp-IhrKey..."

chain integrity verify

curl https://ki-shield.de/api/v1/audit/verify?limit=1000 \
  -H "X-API-Key: kp-IhrKey..."

Schritt-for-Schritt-Integration

1. Enterprise-Plan subscribe to (API access required)
2. API-Create key (siehe Artikel 85)
3. Have provider key ready (BYOK, e.g. OpenAI-Key) or Admin-Key with server key access use
4. Endpunkt integrieren:
   • POST /api/v1/chat/completions — For KI-Chat with PII-Schutz
   • POST /api/v1/analyze — For pure PII-detection (without KI)
5. Errorbehandlung implementieren (siehe Artikel 91)

Erforderliche HTTP-Header

CORS

Erlaubte Origins: https://ki-shield.de and https://www.ki-shield.de. For server-sidee Integrationen (without Browser) gelten keine CORS-Limitations.

Response-Header auswerten

Das Verifizierungsportal von KI-Shield erpossiblet es jedem, the Echtheit and Unversehrtheit von Dokumenten, Bildern and Videos zu check — without Login and without Kosten.

So works es

1. File upload or hash entry — The portal calculates the cryptographic fingerprint (SHA-256) of your file directly in the browser. The file never leaves your device.
2. Blockchain comparison — Der Hash is with the KI-Shield trust chain compared. If the file via KI-Shield certified, you will find timestamp, origin and Integritätsnachweis.
3. Result — you get an immediate statement: Verifiziert, Nicht found or Manipuliert.

Um the Echtheit eines Dokuments, Fotos or Videos zu check, have you drei Möglichkeiten:

1. File upload

Drag the file via drag & Drop in the upload area or click on "Select file". Der SHA-256-Hash is lokal in your browser berechnet — the file is not viatragen.

2. Hash direkt enter

If you the SHA-256-Hash already kennen (e.g. from a certificate or of a E-Mail), you can ihn direkt in the search field enter. Format: 64 hexadezimale characters.

sha256sum meine-datei.pdf
# output: a3f2b8c9d1e4...  meine-datei.pdf

3. QR-Code scannen

Many KI-Shield-certified files contain a QR code with the verification URL. Scan it with your smartphone camera — you will be forwarded directly to the result.

KI-Shield generates a QR code for every certified file that links directly to verification.

QR-Code-Formate

Scannen & Verifizieren

1. Open the Kamera-App Ihres Smartphones
2. Richten you the Kamera on the QR-Code
3. Tippen you on the eingeblendeten Link
4. The verification portal immediately shows the Result

Alternativ you can im Verifizierungsportal the Tab "QR-Code" select and the Code via the Webcam or a Bild scannen.

Nach successfullyer Verifizierung zeigt the Portal a certificate with folgenden Informationen:

KI-Shield stores every verification entry in of a cryptographic chain (Trust-Chain). So you can the Blockchain evidence check yourself:

Manuelle Prüfung per API

curl https://ki-shield.de/shieldcam/api/v1/chain/verify/<hash>

Die API gibt a JSON-Objekt back with:

chain nachvollziehen

you can the entire chain validieren, indem you at Position 1 beginnen and check, ob the previous_hash jedes entry the tatsächlichen Hash of the Vorgängers entspricht. Eine Lücke or Inkonsistenz würde immediately auffallen.

You can change your display name at any time in the profile settings:

1. Click oben rechts on your Avatar or your Namen
2. Select "Profil edit"
3. Enter the neuen Namen a and click Save

Der Name is in Chat-Exporten, Audit-Logs and im Team-Dashboard displayed. Die Änderung is immediately wirksam.

Aus securitysgründen erfordert a E-Mail-Änderung a doppelte Bestätigung:

1. Navigate to Settings → Account → E-Mail
2. Enter the neue email address a
3. Confirm with your currenten password
4. Click the Bestätigungslink in the E-Mail an the neue Adresse

Until confirmed, the old address remains active. The link is valid for 24 hours.

Navigate to Settings → security → password change.

1. Enterr currentes password a
2. Select a neues password (mind. 12 characters, Gross-/Kleinbuchstaben, Zahl, Sonderzeichen)
3. Confirm the neue password
4. Click Save

After the Änderung are all anderen active Sessions beendet — you must sich on anderen Geräten neu anreport.

Unter Settings → notificationen steuern you, which E-Mails you preserved:

KI-Shield currently supports English as the interface language. AI responses can be in any language — this depends on your prompt.

The language setting can be found under Settings → Appearance → Language.

KI-Shield offers three display modes:

Umschalten you can at any time via the Mond-/Sonnensymbol in the oberen Navigationsleiste or under Settings → Appearance.

Unter Settings → security → Aktive Sessions you see all Geräte, on denen you current angemeldet are:

• Gerätetyp — Browser, Betriebssystem
• IP-Adresse — Ungefährer Standort
• Letzter access — timestamp the letzten Aktivität
• Erstellt am — When the Session begonnen wurde

Erkennen you a unknowns Gerät, click on "Abreport" neben the Entry. Die Session is immediately beendet.

Mit a Klick you can sich on allen Geräten gleichzeitig abreport:

1. Go to Settings → security → Aktive Sessions
2. Click "All Sessions beenden"
3. Confirm with your password

All Sessions ausser Ihrer currenten are immediately beendet. Nutzen you these Funktion, when:

• you your password geändert have
• you a Gerät verloren have
• you verdächtige Aktivitäten bemerken
• you a öffentliches Gerät benutzt have

Als Team-Admin you can Kollegen zu Ihrer Organisation einladen:

1. Navigate to Settings → Team → Mitglieder
2. Click "Mitglied einladen"
3. Enter the email address a and select you a role (Admin, Mitglied, Nur-Lesen)
4. Der Eingeladene erhält a E-Mail with a Einladungslink

Der Einladungslink is 7 days valid. Nicht angenommene Einladungen you can at any time again versend or widerrufen.

KI-Shield bietet drei rolen for Team-Mitglieder:

rolen you can under Settings → Team → Mitglieder change. Click the Namen of the Mitglieds and select you the neue role.

Im Business- and Enterprise-Plan can Admins team-weite API-Keys store, the all Mitglieder use:

1. Go to Settings → Team → API-Keys
2. Click "Team-Key add"
3. Select the Provider (OpenAI, Anthropic, Google, etc.)
4. Paste the API-Key a

Team-Keys have Vorrang vor persönlichen Keys. Mitglieder can weiterhin eigene Keys for andere Provider store.

In the Business and Enterprise plans, all billing runs through one central account:

• Eine Rechnung — All team members are billed through the admin account
• Kostenstellen — Optional you can Mitglieder Kostenstellen zuordnen
• Budget-Limits — Set monthly Limits pro Mitglied or for the entire Team
• billing address — Zentral under Settings → billing konfigurierbar

Invoices are monthly per E-Mail an the Admin gesendet and are as PDF in the dashboard available.

Das Admin-Dashboard bietet Team-Admins a zentrale Übersicht:

Unter Admin-Dashboard → usage you see detaillierte Statistiken pro Mitglied:

• requests — Anzahl the Chat-/API-requests pro Monat, Woche or Monat
• Token-Verbrauch — Input- and Output-Tokens aufgeschlüsselt nach Modell
• Kosten — Geschätzte Kosten based on the Provider-Pricingn
• PII detections — How many personal data items were detected by the protection filter
• Modellverteilung — Welche KI-Modelle am häufigsten genutzt are

All Statistiken can as CSV exported are. Der Export is under Admin-Dashboard → usage → Export available.

Falls you ungewöhnliche Aktivitäten in your account bemerken, handeln you immediately:

1. password change — Sofort under Settings → security
2. End all sessions — Under Active Sessions → End All
3. Activate 2FA — If not done yet
4. Uns kontaktieren — Schreiben you an security@ki-shield.de

Signs of suspicious activity:

• Unknown Geräte in the Session-Liste
• API-Aufrufe, the you not getätigt have
• Geänderte Settings without your Zutun
• Unexpected emails about password changes

If you glauben, that your Account kompromittiert wurde, folgen you this Notfall-Checkliste:

Im Enterprise-Plan you can the access on bestimmte IP-Adressen or IP-areas einschränken:

1. Navigate to Settings → Security → IP Whitelist
2. Paste erlaubte IP-Adressen or CIDR-areas hinzu (e.g. 203.0.113.0/24)
3. Enable the IP-Beschränkung

After activation, only users from the listed IPs can log in. API access is also filtered.

Aus securitysgründen are inactive Sessions automatically beendet:

Im Business- and Enterprise-Plan can Admins the Timeout under Settings → security → Session-Richtlinie anpassen.

KI-Shield enforces the following minimum requirements for passwords:

• At least 12 characters
• Mindestens a Grossbuchstabe and a Kleinbuchstabe
• Mindestens a Zahl
• Mindestens a Sonderzeichen (!@#$%& etc.)
• Darf not in knownn dataleck-Listen enthalten sein (HaveIBeenPwned-Prüfung)

KI-Shield processed sensitive data — von personenbezogenen Informationen bis hin zu vertraulichen Geschäftsdokumenten. Zwei-Faktor-authentication (2FA) is therefore ab the Professional-Plan verpflichtend.

What 2FA protects

• Stolen passwords — Even if your password appears in a data breach, nobody can without the second factor on your account zugreifen
• Phishing — Ein abgefangenes password allein reicht not
• API-Key-Diebstahl — Ohne Login-access can gestohlene Keys not against neue ausgetauscht are

Supported 2FA methods

• TOTP app — Google Authenticator, Authy, 1Password, Bitwarden (recommended)
• Recovery-Codes — 10 Einmalcodes as Backup, securely aufstore

Setup: Settings → Security → Two-Factor Authentication → Enable.

This Errormeldung erscheint, when the storede API-Key vom Provider abgelehnt is. Häufige Ursachen:

KI-Shield arbeitet nach the BYOK-Prinzip (Bring Your Own Key). you need at least a API-Key eines KI-Providers:

1. Go to Settings → API-Keys
2. Click "Add Provider"
3. Select a Provider (e.g. OpenAI, Anthropic, Google)
4. Paste your API-Key a

Sobald a Key stored is, verschwindet the Meldung and you can the Chat use.

Rate Limits can on zwei Ebenen greifen:

The Retry-After header in the response shows how long you need to wait. X-RateLimit-Remaining shows remaiemainde requests.

Wenn the Chat not lädt or einfriert, probieren you these Schritte:

1. Reload page — Ctrl+Shift+R (Hard Reload)
2. Clear browser cache — Settings → Clear browsing data → Cache
3. Anderen Browser testen — Chrome, Firefox or Edge (currentste Version)
4. Disable extensions — Ad blockers or privacy extensions can block connections
5. Netzwerk check — Firewalls or VPNs can WebSocket-connectionen blockieren

Besteht the Problem weiterhin, öffnen you the Browser-Konsole (F12 → Console) and send you us a Screenshot the Errormeldungen.

Falls the Bestätigungs-E-Mail not ankommt:

1. Spam-Ordner check — Searchn you nach Absender noreply@ki-shield.de
2. email address check — Tipperror at the registration?
3. Resend — On the login page click "Resend verification" click
4. Whitelist — Add ki-shield.de to your email provider's whitelist
5. Wait — Some providers delay emails by up to 15 minutes

Falls es nach 30 minutes still not geklappt has, contact us under info@ki-shield.eu.

TOTP-Codes are zeitbasiert and only 30 seconds valid. Häufige Ursachen for unvalide Codes:

• Uhrzeit falsch — Make sure, that the Uhrzeit on your Smartphone automatically synchronisiert is (Settings → Datum & Uhrzeit → Automatisch)
• Falscher Account — Check, ob you the Code for the richtigen KI-Shield-Account ablesen
• Code expired — Warten you on the nextn Code and geben you ihn immediately a

Falls nichts hilft, verwenden you a Ihrer Recovery-Codes. This have you at the 2FA-Einrichtung preserved. Jeder Code is only einmal valid.

Falls a Zahlung fails, check you:

• card data — Ist the Karte expired? Stimmt the Adresse?
• credit/Limit — Reicht the credit or Kreditlimit?
• 3D-Secure — If the Zahlungsbestätigung in the Banking-App abgelehnt or viasehen?
• Landessperre — Manche Banken blockieren internationale Zahlungen — contact your Bank

KI-Shield versucht failede Zahlungen automatically nach 3 and 7 Tagen again. your account remains active during this time.

Store an alternative payment method: Settings → Billing → Payment Method.

Falls the Export von Chat historyn or Audit-Logs fails:

1. Disable pop-up blocker — The download may open a new window
2. File size — Very long chat histories may take a few seconds. Wait until the download starts
3. Browser aktualisieren — Make sure, that you a currenten Browser verwenden
4. permissionen — Im Free-Plan is the Export on the letzten 7 days beschränkt

Unterstützte Formate: PDF, CSV, JSON and Markdown.

Occasionally an AI provider returns an empty or incomplete response. Possible causes:

• Content filter — The provider classified the request or response as inadmissible
• Token-Limit — The response was cut off because the context window was full
• Provider outage — Temporary problems with the AI provider
• Timeout — The request took too long (see article 130)

Lösung: Send you the message again. Falls the Problem wiederholt auftritt, wechseln you temporär the Modell under Chat → Modell change.

Responses can take up to 120 seconds for complex prompts or large contexts. If you get a timeout:

• Prompt kürzen — Reduce the input length or split the task into smaller steps
• Faster model — Smaller models (e.g. GPT-4o-mini, Claude Haiku) respond faster
• Enable streaming — In the chat, streaming is used automatically. Via the API, send "stream": true

Der Timeout-Wert is planabhängig: Free 60s, Professional 120s, Business/Enterprise 300s.

KI-Shield is for folgende Browser getestet and supports:

recommendation: Use always the neueste Version Ihres Browsers for optimale security and Kompatibilität.

KI-Shield is complete responsive and works on Smartphones and Tablets:

• Chat — Optimized touch controls, fullscreen mode available
• Dashboard — All Funktionen also mobil reachable
• Verifizierungsportal — QR-Code-Scanner nutzt direkt the Smartphone-Kamera

Für the beste Erfahrung empfehlen we a screen width von at least 375px (iPhone SE and grösser).

Manche Funktionen are only in higheren Plänen available. Häufig eingeschränkte Features:

Upgraden you can at any time under Pricing. Der Wechsel erfolgt immediately, the Differenz is anteilig berechnet.

Der DEK (Data Encryption Key) is for the Ende-zu-Ende-encryption im Zero-Knowledge-Modus benecessaryt. This Errormeldung bedeutet:

• Session expired — The DEK is pro Session im Browser derived. Loggen you sich again a
• Browser-Speicher deleted — Falls you Cookies or the LocalStorage deleted have, must the DEK neu derived are
• Anderes Gerät — Der DEK is gerätespezifisch. Auf a neuen Gerät is er automatically neu generates

Lösung: Loggen you sich from and wieder a. The DEK is automatically derived from your password (HKDF). your encrypted data remain preserved.

Der HTTP-Statuscode 402 bedeutet, that for the angeforderte Aktion a Bezahlung or a API-Key required is. Mögliche Ursachen:

Unsere completee privacy policy can be found under ki-shield.de/datenschutz. Die wichtigsten Punkte:

• Controller: KI-Shield UG (limited liability), Managing Director: Johanna Bringezu, Germany
• Legal basis: Art. 6 Abs. 1 lit. b GDPR (Vertragserfüllung) and Art. 6 Abs. 1 lit. f GDPR (berechtigtes Interesse)
• dataverarbeitung: Only the Minimum, the for the Betrieb notwendig is
• Keine Weitergabe: Your data is not an Dritte verkauft or zu Werbezwecken genutzt

Bei Fragen zum dataschutz wenden you sich an privacy@ki-shield.eu.

The complete legal notice can be found at ki-shield.de/impressum.

KI-Shield is a product of KI-Shield UG (limited liability) based in Germany. All legally relevant information (address, contact, VAT ID) can be found on the legal notice page.

Die Allgemeinen Geschäftsbedingungen can be found under ki-shield.de/agb. Kernpunkte:

• Vertragsschluss — Durch registration and Bestätigung the email address
• BYOK-Prinzip — KI-Shield stellt the Plattform bereit, you bringen your eigenen API-Keys with
• cancellation — Any time at month end possible, keine Mindestlaufzeit
• Haftung — KI-Shield is not liable for the content of AI responses — these are generated by the respective providered
• availability — Angestrebte availability von 99,5% (SLA im Enterprise-Plan individuell vereinbar)

All KI-Shield-Server stehen in Deutschland:

Im BYOK-Modell bestimmen you selbst, welcher KI-Provider your data processed. KI-Shield leitet requests only an the Provider weiter, the you configured have:

Für maximalen dataschutz empfehlen we the Zero-Knowledge-Modus — thereby are personal data vor the Weitergabe an the Provider through Platzhalter ersetzt.

You have the Recht, your data in a strukturierten, gängigen and maschinenreadableen Format zu preserved:

• Chat history — Export as JSON or CSV via Dashboard → Chats → All exportieren
• Profildaten — Export via Settings → Account → data exportieren
• Audit-Logs — Export as CSV via the Audit-Dashboard

Der completee dataexport is innerhalb von 72 Stunden provided and per E-Mail zugestellt. Für manuallye requests: privacy@ki-shield.eu.

Under Art. 15 GDPR you have the right to know, which data we store about you. The following categories are processed:

• Stammdaten — Name, email address, Registrierungsdatum
• usagesdaten — Login-timestampe, genutzte Features, API-Aufrufe (anonymized)
• billingsdaten — payment method (tokenisiert), billing address, Plan
• Chat-data — Im Zero-Knowledge-Modus only encrypted; im Standard-Modus are Chats nach your Aufbewahrungseinstellungen stored

Submit a data access request: Send an email to privacy@ki-shield.eu with the subject "Data access request". Response within 30 days.

you can at any time the completee Löschung Ihres Accounts and aller data verlangen:

1. Self-Service: Settings → Account → Account delete — immediatelyige Löschung nach Bestätigung
2. By email: Request to privacy@ki-shield.eu — deletion within 30 days

Was deleted is:

• Profil and Stammdaten
• All Chat history
• API-Keys (are immediately invalidated)
• Audit-Logs (nach Ablauf gesetzlicher Aufbewahrungsfristen)

Übersicht the Aufbewahrungsfristen at KI-Shield:

Im Zero-Knowledge-Modus are Chat-content only encrypted stored — selbst during the Aufbewahrungsfrist are sie for KI-Shield not readable.

Choosing the right model depends on your task:

The context window determines how much text a model can "see" at once — i.e. your input plus the bisherige conversation plus the response.

Was is a Token?

Ein Token entspricht ca. 3–4 characters on Deutsch (ca. ¾ eines Wortes). 1.000 Tokens ≈ 750 Wörter.

contextgrössen im Überblick

Wenn the context window voll is, are older messageen from the context removed. Starten you at Bedarf a neue conversation.

Die Kosten are direkt von your Provider-Account abgerechnet (BYOK). KI-Shield erhebt keine additionallyen Token-feeen.

Pricing Stand 2025, without Gewähr. Aktuelle Pricing can be found on the Websites the jeweiligen Provider.

Multimodale Modelle can neben Text also Bilder analyze. Im KI-Shield Chat you can Bilder via drag&Drop or via the upload-Icon anhängen.

Unterstützte Formate

PNG, JPEG, GIF, WebP — max. 20 MB pro Bild.

Anwendungsbeispiele

• Dokumente and Invoices auslesen (OCR)
• Screenshots analyze and beschreiben
• Diagramme and Grafiken interpretieren
• Handschrift detect

Für Programmieraufgaben empfehlen we:

Für kreative Texte, Marketinginhalte and Storytelling:

• Claude Opus / Sonnet — Particularly natural, nuanced writing style. Ideal for längere Texte and differenzierte tonality
• GPT-4o — Vielseitig, gut for strukturierte content like Blog-Artikel, Newsletter and Social-Media-Posts
• GPT-4o-mini — Schnell and günstig for erste Entwürfe and Brainstorming

For optimal results, give the model clear instructions about tone, target audience and length — e.g.: "Write a 300 300-word blog article about data protection. Tone: professional but accessible. Target audience: SME executives."

Für the Analyse von data, Tabellen and Zahlen:

• Gemini Pro — Thanks to 1M token context, ideal for large datasets. Can process entire CSV files at once
• Claude Sonnet — Sehr präzise at mathematischen Berechnungen and logischem Reasoning
• GPT-4o — Guter Allrounder for datavisualisierungs-suggestions and SQL-Queries

Tipps for dataanalyse im Chat

• Paste data as Tabelle (Markdown or CSV) in the Chat a
• Seien you spezifisch: "Berechne the Median the Spalte Umsatz" statt "Analysiere the data"
• Nutzen you the PII-Schutz, when the data personenbezogene Informationen enthalten

System-Prompts definieren the behavior and the role the KI for a entire conversation. Here is how to create your own:

1. Go to Settings → Chat → System-Prompt
2. Click "Neuer Prompt"
3. Enter a Namen and the Prompt-Text a
4. Save and activate in chat as default or by selection

Example: Legal assistant

Du bist a juristischer Fachassistent for deutsches Recht.
Answer precisely, cite relevant paragraphs.
Always point out that your answers are not
Rechtsberatung ersetzen.

Mit diesen Techniken get more from every AI request:

So reduzieren you your Token-Verbrauch and sparen Kosten:

• Neue conversation starten — Lange Chat history send the entiren context with every message again. Starten you neue Themen in neuen Chats
• Smaller model for simple tasks — GPT-4o-mini or Claude Haiku for routine questions, large models only when needed
• Precise Prompts — The clearer your request, the fewer follow-up questions and correction rounds
• Limit response length — "Answer in maximum 3 sentences" saves output tokens
• System-Prompt kurz halten — Jeder Token im System-Prompt is at every message mitgesendet

Die KI-Shield B2B-API supports Batch-processing for the automatisierte Bearbeitung vieler requests:

POST /v1/batch
Content-Type: application/json
Authorization: Bearer <API-KEY>

{
  "requests": [
    { "model": "gpt-4o", "messages": [...] },
    { "model": "gpt-4o", "messages": [...] }
  ]
}

Limits

• Maximal 100 requests pro Batch
• Rate Limit: 10 Batches pro Minute
• Resultse are asynchron provided (Webhook or Polling)

Die PII-detection and Zero-Knowledge-encryption are also at Batch-requests angewendet.

Im Professional-Plan and higher you can the PII-detection feingranular configure:

1. Navigate to Settings → dataschutz → PII-Regeln
2. Activate/deactivate individual categories
3. Select pro Kategorie the Aktion: Maskieren, Pseudonymisieren or Blockieren

Verfügbare PII-categories

you can beliebig viele Provider gleichzeitig in KI-Shield configure and zwischen ihnen wechseln:

• Im Chat: Click the Modellnamen oben im Chat-Fenster and select you a anderes Modell — also mitten in of a conversation
• Über the API: Enter the desirede Modell im model-Feld an — KI-Shield routet automatically zum richtigen Provider

Fallback-configuration

In the Business plan you can configure a fallback provider: If the primary provider is not reachable, the request is automatically an the Fallback forwarded.

Einrichtung: Settings → API-Keys → Fallback-Reihenfolge.

KI-ShieldCam is a iOS-App, the Fotos direkt beim Aufnehmen cryptographic certified. Jedes Foto erhält:

• SHA-256 Hash — Eindeutiger fingerprint, the every Manipulation detects
• Blockchain-Entry — Unverfälschbarer timestamp in the KI-Shield Trust-Chain
• QR-Code — In the Metadaten eingebettet, introduces direkt zur Verifizierung
• PII-Redaktion — Optional are faces, license plates and andere personal data automatically maskiert

Einsatzgebiete: Beweissecurelyung, Dokumentation, Gutachten, Versecurelyungsfälle, journalistische Arbeit.

KI-ShieldCam is as free of chargee iOS-App available:

Systemanforderungen

• iOS 17.0 or neuer
• iPhone or iPad with Kamera
• Auch as Mac-App available (Apple Silicon)

Beim ersten Start fragt KI-ShieldCam nach folgenden permissionen:

• Kamera — Zum Aufnehmen von Fotos (required)
• Fotomediathek — Zum Save certifiedr Fotos (recommended)
• Netzwerk — Für the Blockchain-registration on the KI-Shield-Server

Falls you a permission versehentlich abgelehnt have:

1. Open the iOS-Settings
2. Scroll zu KI-Shield
3. Enable the desireden permissionen

Die Live-Redaktion maskiert personenbezogene content direkt beim Fotografieren — still before the Foto stored is:

Das is the Zero-Knowledge-Ansatz: Weder KI-Shield still the user can the maskierten areas restore.

In the App-Settings select you, which PII-categories automatically maskiert are:

Settings: Open the app → gear icon → Privacy → PII categories.

There are three ways to verify a KI-ShieldCam photo:

1. In the App

Open the photo in the app gallery and tap on "show certificate". you see status, timestamp, hash and chain position.

2. Im Verifizierungsportal

Laden you the Foto on ki-shield.de/shieldcam hoch. Der Hash is lokal berechnet and with the Trust-Chain abgeglichen.

3. Per QR-Code

Scan the eingebetteten QR-Code with of a beliebigen Kamera-App — you are direkt zum Verifizierungsergebnis forwarded.

Jedes with KI-ShieldCam aufgenommene Foto contains a QR-Code in the EXIF-Metadaten:

Format

KISHIELDPIC|v3|<sha256-hash>

• KISHIELDPIC — Kennzeichnet the Foto as KI-ShieldCam-certified
• v3 — Protokollversion (current: v3)
• Hash — SHA-256 fingerprint of the original photos

QR-Code download

In the App you can the QR-Code also as separates Bild exportieren — praktisch, when you the Code on a Dokument or a Webseite setzen want to.

Sobald you a Foto aufnehmen, passiert Folgendes in Sekundenbruchteilen:

1. Hash berechnen — SHA-256 of the Fotos is on the Gerät berechnet
2. An Server send — Only the Hash (64 characters) is viatragen, not the Foto
3. Chain-Entry — Der Server created a neuen Entry in the Trust-Chain with timestamp and Verweis on the previous Entry
4. Bestätigung — Die App erhält the Chain-Position and zeigt the certificate an

Durch the Verkettung (every Entry references the previous) is a rückwirkende Manipulation ausgeschlossen — ähnlich like at of a klassischen Blockchain, but effizienter and without Mining.

KI-ShieldVid is the Video-Schwester von KI-ShieldPic. Die iOS-App erpossiblet forensische Video-Beweissecurelyung — jedes aufgenommene Video is cryptographic certified and in the Trust-Chain verankert.

Was KI-ShieldVid bietet

• Frame-Forensik — Jeder einzelne Frame is in the forensische Beweiskette eingebunden
• Hybrid-Kryptographie — Ed25519 (klassisch) + ML-DSA-65 (post-quantum, FIPS 204)
• RFC 3161 timestamp — Kryptographischer timestamp von unabhängiger Stelle
• Polygon Blockchain — Öffentlich verifizierbar on PolygonScan
• QR-Code — In Video-Metadaten eingebettet for immediatelyige Verifizierung

Einsatzgebiete: Unfallaufnahmen, Baudokumentation, Polizeivideos, Versecurelyungsfälle, journalistische Arbeit.

HEVC is von KI-ShieldVid nativ supports — no conversion necessary. Das Streaming-Hashing processed Videos in 1-MB-Blöcken, so that even large files (multiple GB) without Speicherprobleme gehashed are.

Videos are deutlich grösser as Fotos. KI-ShieldVid nutzt therefore Streaming-Hashing:

1. Die Videodatei is not komplett in the memory geladen
2. Stattdessen is sie in 1-MB-Blöcken gelesen and stückweise the SHA-256-Hasher zugeintroduces
3. Ein Fortschrittsbalken zeigt the processingsstand: "SHA-256 is berechnet… (128 / 512 MB)"
4. Am Ende is the finale Hash from allen Blöcken berechnet

This method works with files of any size — even multi-hour 4K videos areden zuverlässig gehashed, without the Speicher zu vialasten.

Unlike a simple file hash, KI-ShieldVid goes one step further: Every single frame is in the forensic beweiskette eingebunden.

Warum is the wichtig?

• Manipulationsschutz — Einzelne Frames can not unbemerkt removed, eingefügt or ersetzt are
• Temporalät — Die zeitliche Abfolge the Frames is cryptographic gesecurelyt
• Admissibility in court — Stronger evidential value than a simple file hash

Zusätzlich is the entire Video as Einheit gehashed and in the Trust-Chain verankert — damit is sowohl the Gesamtdatei as also the Frame-Sequenz protected.

Videos can on ki-shield.de/shieldvid verified are — drei Methoden:

1. Video upload

Drag the video into the upload area. The SHA-256 hash is calculated in the browser (streaming, no upload). A progress bar shows the status for large files.

2. Hash enter

Enter the 64-stelligen SHA-256-Hash direkt a, falls you ihn already kennen.

3. QR-Code enter

Paste the QR-Code-Text a. Format:

KISHIELDVID|v3|hash|sig|pubkey|idx|prev|txHash|pii

Das Portal extrahiert automatically the Hash and prüft ihn against the Trust-Chain. Bei successfullyer Verifizierung you see: timestamp, Chain-Position, Blockchain anchor (with Link zu PolygonScan) and the öffentlichen key.

KI-ShieldVid bietet a monthlys Video-Kontingent, the an your Abo gekoppelt is:

• Jedes certified Video zählt against your Monatskontingent
• Das Kontingent is am Monatsanfang automatically backgesetzt
• Der Zähler is via iCloud an your Apple ID gebunden — a Deinstallieren the App setzt ihn not back
• In the App you see at any time verremainde Videos under Settings → Kontingent

Ist the Kontingent exhausted, you can weiterhin Videos aufnehmen, but keine neuen Zertifizierungen durchführen. Upgrade your Abo for a higheres Kontingent.

Beide TaaS-Producte use a identischen 7-Schichten-securitysstack:

Durch the BSI hybrid approach (klassisch + post-quantum) are your Beweise also against zukünftige quantum computers protected.

Bei KI-Shield fallen zwei getrennte Kosten an:

Example: With a Professional plan (29€/month) and moderate use of GPT-4o, approximately 5–15€/month in provider costs may apply.

Unter Dashboard → usage → Kosten can be found a Übersicht Ihrer estimateden outputn:

• Tagesansicht — Token-Verbrauch and estimatede Kosten pro Tag
• Monatsviasicht — Gesamtverbrauch with Trend-Vergleich zum Vormonat
• Nach Modell — Aufschlüsselung welches Modell like viel kostet
• Nach Mitglied — Im Team-Plan: Kosten pro Teammitglied

Protect you sich vor unerwarteten Kosten with Budget-Limits:

1. Go to Settings → billing → Budget
2. Set a monthlys Limit (e.g. 50€)
3. Select the Aktion at Erreichen: Warnen or Blockieren

Bei the Option "Warnen" preserved you a E-Mail at 80% and 100% of the Limits, can but weiter arbeiten. Bei "Blockieren" are neue requests gestoppt, bis the next Monat beginnt or you the Limit increase.

Im Team-Plan can Admins Limits pro Mitglied setzen.

All Invoices are as PDF available:

1. Navigate to Settings → billing → Invoices
2. Select the desireden Monat
3. Click "PDF download"

Die Invoices enthalten:

• invoice number and Datum
• Plan and Laufzeit
• Nettobetrag, USt. (19%) and Bruttobetrag
• payment method and -status

Invoices are also automatically per E-Mail an the storede billing address gesendet.

Unter Settings → billing → payment method you can at any time wechseln:

Supported Payment Methods

Die neue payment method is ab the nextn billing verwendet. Outstanding amounts are still via the alte Methode eingezogen.

KI-Shield is as business expense voll absetzbar:

• VAT deduction — All Invoices enthalten ausgewiesene German VAT. (19%), the eligible for input tax deduction is
• business expense — Die monthly fee is as software costs / IT services absetzbar
• billing address — Store your company address and VAT ID. under Settings → billing → billing address

For EU customers outside Germany

Bei valider VAT ID. is the reverse charge procedure angewendet (net invoice without German VAT.).