Sensitive datanever leaves your tenancy.
An API-first vault that detects PII, tokenizes it into safe surrogates, and encrypts the originals under keys you control. Sit it in front of any model, any analytics tool, any partner — they see structure, never secrets.
Four operations. One contract.
Detect, tokenize, encrypt, govern — exposed behind a single, consistent API. Compose them; chain them; run them inline on every request crossing a trust boundary.
Find PII anywhere it hides.
Six detection layers run in parallel: pattern + checksum, schema + tag, NER, vision (stamps/signatures/faces), context inference, and your own custom rules. Structured rows, free text, scanned images — nothing slips through.
Replace secrets with safe surrogates.
Format-preserving tokens that look real to your downstream tooling. SSN-shaped strings stay SSN-shaped; account numbers stay numerically valid. Tokens are scoped to your tenancy and impossible to reverse without your keys.
Originals locked, mirrors emitted.
Originals are encrypted at field level under keys held in your KMS, then stored in one repository. The tokenized mirror — same shape, no secrets — lives in another. Compromise of one store gives an attacker nothing useful.
Sign every action.
Every authorize, access, tokenize, and detokenize event is recorded and cryptographically signed. Hand a regulator a verifiable export of any time window in seconds. Drag a timeline in your console; rebuild any moment.
Six layers, run in parallel.
No single detector finds everything. Together they cover structured fields, free text, scanned images, and inferred identifiers — and you can extend the bottom layer with rules specific to your domain.
One verb in. A safe surrogate out.
Tokenize and detokenize are single-call, idempotent, and schema-aware. Wrap them in your existing data layer or call them inline from any service.
curl -X POST https://api.logikol.com/v1/tokenize \
-H "Authorization: Bearer $LOGIKOL_KEY" \
-H "Content-Type: application/json" \
-d '{
"fields": [
{ "key": "name", "value": "Maria Lopez", "kind": "name" },
{ "key": "ssn", "value": "412-55-9180", "kind": "ssn" },
{ "key": "account", "value": "8801-4421-3092", "kind": "account" }
],
"policy": "default"
}'{
"tokens": {
"name": "[name_a3f]",
"ssn": "[ssn_91c]",
"account": "[acct_4de]"
},
"refs": {
"name": "vault://acme/customers/9f1c2.../name",
"ssn": "vault://acme/customers/9f1c2.../ssn",
"account": "vault://acme/customers/9f1c2.../account"
},
"audit_id": "evt_2026_05_05_4z9k1q"
}Four building blocks.
Everything Logikol does is composed from a small set of primitives. Learn these four and the rest of the platform follows.
Format-preserving surrogates with stable shape (SSN-like, account-like, name-like). Reversible only inside your tenancy with a key fetched from your KMS at request time.
Pointers to the encrypted original. Travel everywhere safely; the data behind them never leaves your perimeter without explicit detokenize-by-policy.
Per-field rules deciding who can read, who can detokenize, when, and from where. Expressed as compact YAML; enforced at every API boundary.
Append-only signed log of every authorization and access. Hash-chained, exportable, queryable. The receipt for every interaction with sensitive data.
Plugs into the stack you already run.
KMS providers, storage, identity, observability — Logikol meets your stack where it is. No bespoke key-handling layer, no proprietary identity, no “please rip out your existing monitoring”.
- AWS KMS
- GCP Cloud KMS
- Azure Key Vault
- HashiCorp Vault
- On-prem HSM
- S3 / GCS / Azure Blob
- Postgres
- Snowflake
- BigQuery
- Object stores you provision
- Okta
- Azure AD
- Google Workspace
- OIDC
- SCIM
- Datadog
- Grafana
- New Relic
- Splunk
- OpenTelemetry
Document Intelligence + Vault = parse and protect in one call.
The same API can extract a document and tokenize its sensitive fields in a single sync request. The model that consumes the output sees structure, never secrets.