01 / CORE · Personal-data vault

All PII in one secured vault.
Your applications work with tokens.

Instead of replicating passports, phone numbers and addresses across 40 systems, they live in a single vault. CRM, billing, BI, logs and backups exchange deterministic tokens. Original data never leaves the vault without an audit trail.

AES-256-GCMHSM-readyRBACOn-prem or cloudp99 < 12ms
POST api.provyn.cloud/v1/tokenize
› live · deterministic tokenizationp99 < 12ms

PII is scattered across dozens of systems -
and every one is in scope.

A single customer's phone number sits in CRM, billing, support, BI, logs and three generations of backups. Every copy is a potential breach. Every location is a separate audit.

The Provyn vault inverts the problem. PII is stored in one place - a secured boundary with HSM, audit and strict RBAC. Into every other system you put a token - an irreversible identifier you can store, transfer, join and analyze, but from which the original data cannot be recovered without explicit permission and an audit record.

Before ProvynWith Provyn
Where PII lives40+ systems1 vault
Compliance scopeentire stack1 component
Backups contain PIIyesno
Analytics sees PIIyesno
DSR (subject erasure request)manual sweep of every system1 API call
CRM breachincident, real PIItokens only

One API,
three operations,
full audit.

On the left - your systems. In the center - the Provyn API. On the right - the vault. Blue lines are tokens, flowing freely across your stack. White lines are PII, moving only between API and vault, with every access recorded.

YOUR SYSTEMS CRM · Sales Billing Analytics · BI Logs · backups PROVYN · API tokenize() detokenize() audit() token → ← PII (audited) VAULT · COMPLIANCE SCOPE AES-256-GCM · HSM On-prem / VPC / Cloud
01 / onboarding

Connect the SDK

An API key on staging, one library (provyn-sqlalchemy, provyn-django, @provyn/node). First token within 20 minutes of your first commit.

02 / tokenize

Tokenize on the way in

When a new record enters a system, the application calls POST /v1/tokenize with the PII fields. Provyn returns tokens with the same semantics - same domain, same format, deterministic.

03 / work

Work with tokens

Your application database holds tokens. SQL, joins, lookup by phone - everything works, because identical input produces an identical token. Analytics builds metrics on tokens. LLMs go through AI Proxy.

04 / detokenize

Detokenize when needed

When an operator needs to see PII, the application calls POST /v1/detokenize with a reason. Provyn returns the data and writes an audit record: who, when, why, IP.

05 / audit

Audit & RBAC

In the dashboard: how many tokens were created, who detokenized what, anomalies in access patterns. Append-only log, aligned with SOC 2 and ISO 27001 controls.

Infrastructure-grade
components, ready for production.

Encryption, HSM integration, deterministic tokens, RBAC, append-only audit, webhooks. Everything a CTO needs to sign off on the architecture.

01
AES-256-GCM + HSM
Per-tenant encryption keys. Master key in HashiCorp Vault Transit or an external HSM (Thales, Yubico). Keys never leave the HSM in plaintext.
02
Deterministic tokenization
Identical PII → identical token. JOIN on phone_token works, SELECT DISTINCT works, duplicate detection works - all without detokenization.
03
Format-preserving tokens
A card-number token is 16 digits. An email token looks like an email. Validators, regex and UI masks keep working.
04
Subject-ID tracking
Every token is bound to a subject_id. One API call erases all PII for a single subject (DSR / right-to-erasure).
05
Custom fields & types
PII fields are defined in the dashboard: phone, email, national_id, bank_card, address, medical_record, custom. Your own token format and rules.
06
Append-only audit log
Every operation is written immutably, HMAC-signed. Export to your SIEM (Splunk, ELK) out of the box.
07
RBAC + API keys
Scoped keys: tokenize-only, search-only, admin. IP allowlist. Rate limits per key.
08
Escrow & recovery
An encrypted backup under your own keys. In a disaster, self-service recovery with no dependency on Provyn.
09
Webhooks & events
Subscribe to token.created, token.detokenized, subject.deleted, audit.anomaly.

Production-ready.
No surprises in prod.

The numbers a CTO checks in the very first meeting: latency, throughput, HA, data residency.

EncryptionAES-256-GCM (per-tenant DEK via Vault Transit)
KeysHashiCorp Vault / external HSM / local fallback
ProtocolsREST (JSON), gRPC, GraphQL
Latency p50/p994 ms / 12 ms (localhost); +~100 ms RTT
Throughput230+ ops/s on tokenize · 300+ ops/s on detokenize
Bulk endpointPOST /v1/bulk/tokenize - up to 1000 records/request
SDKPython (sync + async), Node.js, Java, Go
ORM integrationsSQLAlchemy, Django ORM, Prisma, Sequelize
Data residencyMulti-region: EU / GCC / APAC / LATAM · on-prem
High availabilityActive-active PostgreSQL, Redis Sentinel, Vault HA
ComplianceGDPR · PDPL · PIPL · LGPD · SOC 2 · ISO 27001
python · provyn-sqlalchemy
# drop-in replacement for SQLAlchemy from provyn_sqlalchemy import Tokenized from sqlalchemy import Column, String class Contact(Base): id = Column(Integer, primary_key=True) name = Column(String) phone = Column(String, Tokenized()) email = Column(String, Tokenized()) # the rest of your app code stays the same. # SELECT by phone, WHERE email=... - # all work through tokens.

Already running
in production with real teams.

Four characteristic patterns - from legacy migration to multi-system architecture under a strict regulator.

Bank

CRM + billing + antifraud

17 systems, one customer. Before Provyn - 17 copies in scope. After: a vault plus tokens across all 17. The antifraud model receives a phone_token and still finds patterns - determinism preserves feature engineering.

Marketplace

Analytics + LLM

100M+ contacts in BigQuery. PII cannot reach BI - the analytics team must stay out of scope. We tokenize during ETL, cohorts are built on tokens, and pinpoint detokenization goes through the proxy.

Healthtech

Electronic health records

The strictest scenario - special categories of PII. Provyn on-prem with an external HSM. The clinician sees the record through the app; the vault logs every read. Downstream systems receive only what they are entitled to.

E-commerce

Legacy migration

PostgreSQL with 15M orders. One ALTER TABLE plus an overnight bulk tokenize - and the whole database drops out of scope. Zero downtime: a nullable column is added, the script tokenizes, the old column is dropped.

From API key
to production - two weeks.

Integration requires no rewrite of your business logic. Shadow mode lets you roll back at any stage.

Day 1 · SANDBOX

API key & SDK

A key on the sandbox. pip install provyn-sqlalchemy. First POST /v1/tokenize within 20 minutes. Tokens visible in the dashboard.

Week 1 · SHADOW

Shadow mode

Mark PII columns with Tokenized(). New records are written as raw + token. We verify that joins and lookups still work. The raw column is still there - you can roll back.

Week 2 · CUTOVER

Cutover

Bulk-tokenize historical data (in the background). Switch reads to tokens. Drop the raw columns. DELETE FROM vault WHERE subject_id = X clears old snapshots.

Common questions from CTOs.

If your question isn't here, email sales@provyn.cloud - we reply within one business day.

What if Provyn goes down - do we lose data?

No. Vault data is replicated in a PostgreSQL HA cluster with WAL backup. Plus escrow - an encrypted backup on your side, decryptable with your key. Even if the Provyn service is unavailable, your data is recoverable without us.

I don't want to hand you our encryption keys.

Correct - and you don't have to. In the on-prem model, HashiCorp Vault (or your HSM) lives inside your perimeter and keys never leave it. We supply the service and the admin console; the keys are yours.

Does it work with our legacy DB and Django/Rails/Java stack?

Yes. SDKs for Python (SQLAlchemy, Django), Node (Prisma, Sequelize), Java (JDBC interceptor), Go. Legacy migration is via ALTER TABLE ADD COLUMN phone_token plus a batch script. A well-worn pattern.

Performance - is every request an HTTP hop?

Detokenize requests are cached in Redis on the client side (encrypted). Hot tokens → <1 ms. Cold → <12 ms p99. For a 15M-record migration, the bulk endpoint runs at ~10k ops/s.

Where is data stored - and is it compliant?

You choose the region: EU, GCC, APAC or LATAM, or fully on-prem. Data does not leave the jurisdiction you select, satisfying local data-residency requirements.

How much does it cost?

By volume of operations, not by record. Pricing on request. A free tier is available for PoC (100k ops/month).

See how the vault
fits into your infrastructure.

30 minutes with an architect. We map which systems are in scope, show the SDK for your stack, and estimate the migration timeline.

sales@provyn.cloudMulti-region · EU / GCC / APAC / LATAM
Book a demo · Vault
Your data is protected
We reply within one business day. Your data is processed in accordance with GDPR - which is, after all, exactly what we do.
PROVYN
© 2026 Provyn · Fan Labs Inc. · PII infrastructure