DEV Community: Baha Eddin Mselmi The latest articles on DEV Community by Baha Eddin Mselmi (@bahaeddinmselmi). https://dev.to/bahaeddinmselmi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3617932%2F81e09b8e-4a38-42ef-8a3d-2e5b9085ab7d.jpeg DEV Community: Baha Eddin Mselmi https://dev.to/bahaeddinmselmi en How I built a PII anonymization gateway for LLMs (and why every EMEA developer needs one) Baha Eddin Mselmi Fri, 13 Mar 2026 20:50:08 +0000 https://dev.to/bahaeddinmselmi/how-i-built-a-pii-anonymization-gateway-for-llms-and-why-every-emea-developer-needs-one-1d9h https://dev.to/bahaeddinmselmi/how-i-built-a-pii-anonymization-gateway-for-llms-and-why-every-emea-developer-needs-one-1d9h <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft73o6wivmbpdmgaj7ay5.jpg" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ft73o6wivmbpdmgaj7ay5.jpg" alt=" " width="800" height="716"></a></p> <h2> The problem nobody talks about in EMEA AI development </h2> <p>Every tutorial about building LLM-powered apps assumes <br> the same thing: you can freely send your user data to <br> OpenAI or Anthropic.</p> <p>In EMEA, that assumption is wrong.</p> <p>Tunisia is currently examining a 123-article organic law <br> regulating AI and automated decision-making.<br> France enforces GDPR strictly — and LLM prompts containing <br> personal data count as data processing.<br> Morocco is formalizing its digital governance framework.</p> <p>If you're building AI features for EMEA customers and <br> forwarding their data to US inference providers, you have <br> a compliance problem you may not know about yet.</p> <h2> What I built </h2> <p>SovereignGuard is an open source AI privacy gateway.</p> <p>It sits between your application and any LLM API. <br> It intercepts outbound prompts, strips PII before the <br> request leaves your server, and restores original values <br> locally after the response comes back.</p> <p>The LLM never sees real customer data.<br> Your app never changes beyond one line.</p> <h2> How it works — the full mechanism </h2> <p>Here's the complete request lifecycle:<br> Your App<br> |<br> | sends prompt with real customer data<br> v<br> SovereignGuard (running on YOUR server)<br> |<br> |-- creates session ID<br> |-- runs PII detection (fast regex + heavy recognizer)<br> |-- replaces PII with reversible SG tokens<br> |-- stores token→original mapping locally<br> v<br> LLM Provider (OpenAI / Anthropic / Mistral / etc.)<br> |<br> | receives only tokenized text<br> | returns tokenized response<br> v<br> SovereignGuard<br> |<br> |-- detects SG tokens in response<br> |-- restores original values from local mapping<br> |-- destroys or expires session mapping<br> v<br> Your App<br> |<br> receives clean, usable response</p> <h2> The token format </h2> <p>Tokens look like this:<br> {{SG_PERSON_NAME_a3f9b2}}<br> {{SG_TN_PHONE_c4d5e6}}<br> {{SG_TN_NATIONAL_ID_f7e3b1}}<br> {{SG_EMAIL_b2c3d4}}<br> Format: <code>{{SG_ENTITY_TYPE_randomhex}}</code></p> <p>The hex suffix is random per session. <br> Even if someone intercepts the tokenized prompt, <br> they cannot reverse the tokens without the local mapping.</p> <h2> Live proof </h2> <p>Input from your app:<br> "Contact Baha at +216 XX XXX XXX, CIN 12345678"<br> What the LLM actually receives:<br> "Contact {{SG_PERSON_a3f9b2}} at {{SG_TN_PHONE_c4d5e6}},<br> {{SG_TN_NATIONAL_ID_f7e3b1}}"<br> What your app gets back:<br> "Contact Baha at +216 XX XXX XXX, CIN 12345678"</p> <p>restoration_completeness = 1.0<br> tokens_restored = 3<br> tokens_not_found = 0<br> Tested live against DeepSeek API. Works.</p> <h2> The EMEA gap </h2> <p>Every existing PII tool was built for US or Western EU data.</p> <p>Here's what they miss:</p> <p><strong>Tunisia:</strong></p> <ul> <li>CIN: exactly 8 digits (e.g., 12345678)</li> <li>Phone: +216 followed by 8 digits</li> <li>Matricule Fiscale: 7 digits + letter + 3 digits + 3 digits</li> </ul> <p><strong>Morocco:</strong></p> <ul> <li>CIN: 1–2 letters + 5–6 digits (e.g., AB123456)</li> <li>Phone: +212 followed by 9 digits</li> <li>ICE: exactly 15 digits</li> </ul> <p><strong>France:</strong></p> <ul> <li>NIR (social security): 13 digits + 2-digit key</li> <li>SIRET: 14 digits</li> <li>Phone: +33 followed by 9 digits</li> </ul> <p>SovereignGuard is the only open source gateway <br> with native recognizers for these patterns.</p> <h2> Integration — one line </h2> <p>If you're using the OpenAI Python SDK:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> python from openai import OpenAI # Before client = OpenAI(api_key="sk-...") # After — that's it client = OpenAI( api_key="sg-your-gateway-key", base_url="http://localhost:8000/v1" ) Your entire application stays the same. SovereignGuard handles everything transparently. Running it Docker (recommended): git clone https://github.com/bahaeddinmselmi/sovereignguard cd sovereignguard cp .env.example .env # edit .env with your provider API key docker compose up --build Smoke test: curl http://localhost:8000/health # {"status":"healthy","gateway":"SovereignGuard","version":"0.2.0"} What's next Countries I need recognizers for: 🇩🇿 Algeria 🇩🇪 Germany 🇳🇬 Nigeria 🇸🇦 Saudi Arabia 🇦🇪 UAE 🇸🇳 Senegal Adding a country recognizer takes about 30 minutes. See [docs/adding-recognizers.md] for the guide. GitHub: https://github.com/bahaeddinmselmi/sovereignguard If you're building AI features for EMEA customers, this layer belongs in your stack. Star it, break it, contribute to it. </code></pre> </div> python rag privacy opensource