On-prem · Zero-Knowledge · any frontier model

Use frontier AI — without your customer data leaving the building.

Names, case numbers, diagnoses, IBANs turn into placeholders before the text reaches Claude, GPT or Mistral. The model works on the placeholders — it never sees the real data, and the answer comes back to you unmasked. Runs as a Docker container in your own infra (one line: base_url), your keys, fully maintained.

Get the Bridge — from €99/mo

Want to try it live first? Test a masked AI chat, free →

What your app sends out
{ "customer": "Maria Miller", "email": "m.miller@acme.com", "iban": "DE89 3704 0044 0532 0130 00", "note": "complaint #88231" }
What the provider receives
{ "customer": "[PERSON_1]", "email": "[EMAIL_1]", "iban": "[IBAN_1]", "note": "complaint #88231" }
Response un-masked locally Mapping stays with you
Not ready for Docker — want to try it first?
See the masking live: paste text (or a file), watch line by line what an AI model would read — and test a real masked AI chat with free credit. Runs in your browser, no Docker.
Open live demo →

Two ways to wire it in

One container, one engine, one license — pick the door that fits your stack.

Proxy / Gateway

LLM calls in apps & chat — drop-in

  • OpenAI-compatible, native streaming
  • any model, your keys (BYOK)
  • change one line, masking is transparent
# just point base_url at the Bridge:
client = OpenAI(
  base_url="http://localhost:4000/v1",
  api_key=YOUR_KEY,
)
# everything now goes out masked

Mask API

Your own pipelines, ETL, agents — the primitive

  • /v1/mask + /v1/unmask, stateless
  • you control everything between mask & unmask
  • batch, ETL, agentic/MCP, your own flow
curl localhost:4000/v1/mask \
  -d '{"text":"Maria Miller, m@acme.com"}'
# → { "masked": "[PERSON_1], [EMAIL_1]",
#     "mapping": { ... } }   # stays with you

Both on-premise, in your infra — Saklam never sees a byte.

Three steps, one line of code

The Bridge sits between your app and the provider. You only change the base_url.

Your app / IDE

Sends the request to the Bridge instead of straight to OpenAI/Anthropic. Point the base_url.

Bridge masks

Locally in your infra: PII → placeholders. The mapping stays in RAM, per request.

Provider sees tokens

Your keys (BYOK), any model. The response is un-masked back at your end.

Why buy instead of build?

Data control by design

Mappings live in RAM, per request, then discarded — no DB, no logs. With the on-prem Bridge, Saklam never sees a single byte of your traffic.

Maintained, not hacked together

300+ PII patterns, 20+ languages, NER model — kept current, edge-cases tuned. The part you'd never keep comprehensive and up to date yourself.

Drop-in, no lock-in

OpenAI-compatible. Point the base_url, bring your own keys, any model (Claude, GPT, Mistral, Gemini, Bedrock, Ollama). Out as easy as in.

Live in 15 minutes

A server with 1–2 GB of free RAM, Docker, your pay-as-you-go provider keys.

# 1 — directory
mkdir -p /opt/saklam-bridge && cd /opt/saklam-bridge
# 2 — grab compose + env
curl -fsSL https://saklam.com/bridge/docker-compose.yml -o docker-compose.yml
curl -fsSL https://saklam.com/bridge/env.example -o .env
# 3 — add your keys
$EDITOR .env   # ANTHROPIC_API_KEY=sk-ant-… etc.
# 4 — start
docker compose pull && docker compose up -d
# 5 — health check
curl -fsS http://localhost:4000/health/readiness

Read the full docs →  ·  n8n integration →

From solo dev to enterprise. No volume cap.

Your AI usage goes straight to the provider — we don't make a cent on it.

Team

€490
/ month
  • up to 5 Bridge instances
  • everything in Solo
  • priority support
  • pay by invoice
Get in touch

Business

€1,490
/ month
  • up to 20 Bridge instances
  • compliance package: DPIA module, audit-trail docs, whitepaper
  • onboarding session & priority support
  • pay by invoice
Get in touch

Enterprise / OEM

on request
tailored to your setup
  • 50+ instances or org-wide rollout
  • embed the Bridge in your own product (OEM)
  • SLA & individual contracts
  • compliance package included
Talk to us

All prices excl. VAT (B2B). Every tier: on-prem Docker, all providers, BYOK, updates & pattern maintenance included.

Works with any provider:

AnthropicOpenAIAzure OpenAIGoogle GeminiAWS BedrockMistralOllama

FAQ

Do you store the token↔original mappings?

No. With the on-prem Bridge the masking runs in your infra; the mapping lives in RAM per request and is discarded after. It never leaves your server — we never see it.

Does the Bridge phone home?

Yes — and transparently: on startup and ~daily, only your license key goes to saklam.com to validate the subscription. Never prompts, customer data, or mappings. Offline, the Bridge keeps running until the license token expires (grace period).

How do I integrate it?

OpenAI-compatible endpoint. You set base_url (or ANTHROPIC_BASE_URL) to the Bridge. One line — in your app, in n8n, or in Claude Code / your IDE. Or use the /v1/mask + /v1/unmask primitive directly.

Which providers & models?

Claude, GPT, Azure OpenAI, Gemini, Bedrock, Mistral, local Ollama. BYOK — your keys, the provider bills you directly.

Hardware requirements?

1–2 GB RAM, 2 vCPU, runs on CPU — no GPU needed. The PII model ships inside the image (~1.6 GB download), no external download at runtime. First start: 1–2 min model warmup.

Latency / streaming?

~70 ms masking overhead per request. Streaming is passed through.

Why not build it myself?

You could — a regex in an afternoon. Comprehensive (hundreds of patterns, 20+ languages, NER), maintained and kept current is the ongoing work you save here.

Do I need a Data Processing Agreement (DPA) with Saklam?

No. The Bridge runs on-premises in your own infrastructure — personal data never reaches Saklam (zero-knowledge). There is no processing on your behalf, so no DPA with us is required. Any DPA obligation is with your LLM provider, since you use their key directly (BYOK).

What does "Saklam" mean?

The name comes from the Turkish saklamak — to hide, to keep safe. That's the job: your data is hidden before it leaves the building, and kept safe — with you, not with us.

Regulated professions / professional secrecy?

What matters is what actually reaches the model provider — not which country a server sits in: hosting commitments and contracts govern storage location and liability; professional secrecy protects the content itself. Masking runs on-premise in your own infra — names, case numbers, diagnoses become placeholders before the request leaves the building, so the protected data never reaches the provider. For clients bound by German professional-secrecy law (§203 StGB — lawyers, doctors, tax advisors) we additionally offer a "Mitwirkender" agreement (background: German Bar Association opinion 32/2025). The legal assessment for your case stays with your counsel — we provide the architecture and the contract it builds on.

Stefan Böck, Founder Saklam

From a developer, for developers

Stefan Böck — started back in university; I've been building software ever since, mostly freelance, sometimes employed (incl. at Sedo). Today I build the privacy tooling I'd use myself.

Classic first vertical: regulated professions (§203) — but the problem hits everyone who feeds sensitive data to AI.

Setup, if you want it, we do together over a screen share — you're live in 15–20 minutes.

LinkedIn

Get your app behind the Bridge in 15 minutes.

Pull the image, point the base_url, done. Your keys, your infra, your data.

Questions? stefan@saklam.com