Client-Side Encryption¶
We cannot read your data. By design. Pauhu implements client-side encryption where all content is encrypted in your browser or application before transmission. Our servers process encrypted data and return encrypted results.
How It Works¶
sequenceDiagram
participant User
participant Client as Your Device
participant Server as Pauhu Server
participant HSM as Hardware Security Module
User->>Client: "Translate this document"
Client->>Client: Generate ephemeral key (AES-256-GCM)
Client->>Client: Encrypt content locally
Client->>Server: Send encrypted payload
Server->>HSM: Process with encrypted computation
HSM->>Server: Return encrypted result
Server->>Client: Encrypted translation
Client->>Client: Decrypt with ephemeral key
Client->>User: "Translated document"Encryption Stack¶
| Layer | Technology | Purpose |
|---|---|---|
| Content Encryption | AES-256-GCM | Encrypts all text and documents |
| Key Exchange | X25519 + ML-KEM-768 | Quantum-safe session keys |
| Signing | Ed25519 | Verifies authenticity |
| Transport | TLS 1.3 | Secures transmission |
| Key Storage | HSM (FIPS 140-3) | Protects master keys |
Quantum-Safe Encryption
Pauhu uses hybrid post-quantum cryptography (X25519 + ML-KEM-768) to protect against future quantum computer attacks. See Quantum-Safe Encryption for details.
Client-Side Implementation¶
from pauhu import Pauhu
# Initialize with client-side encryption (default)
client = Pauhu(
api_key="pk_...",
client_side_encryption=True # Default: True
)
# All operations are automatically encrypted
result = client.translate(
text="Classified: Project Falcon budget is EUR 2.5M",
target="fi"
)
# Verify encryption was used
assert result.metadata.encrypted == True
assert result.metadata.key_id is not None
Manual Key Management¶
from pauhu.crypto import KeyPair, encrypt, decrypt
# Generate your own keys
keypair = KeyPair.generate()
# Encrypt before sending
encrypted = encrypt(
plaintext="Sensitive content",
public_key=keypair.public_key
)
# Send encrypted data
result = client.translate_encrypted(
ciphertext=encrypted.ciphertext,
nonce=encrypted.nonce,
target="fi"
)
# Decrypt response
translation = decrypt(
ciphertext=result.ciphertext,
nonce=result.nonce,
private_key=keypair.private_key
)
What We Cannot See¶
| Data Type | Visible to Pauhu? |
|---|---|
| Source text | No |
| Translated text | No |
| Document content | No |
| File names | No |
| Metadata (custom) | No |
| API key | Yes (for billing) |
| Request timestamp | Yes (for rate limiting) |
| Character count | Yes (for quota) |
Compliance Implications¶
GDPR Article 32¶
"Taking into account the state of the art... the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including... encryption of personal data."
Client-side encryption satisfies GDPR's encryption requirements because personal data is never exposed to our servers in plaintext.
VAHTI ST IV (Finnish Government)¶
Security Level IV: Classified (SALAINEN)
- Encryption: Required (AES-256 minimum)
- Key management: HSM required
- Processing: Isolated environment
Pauhu's client-side encryption meets ST IV requirements for classified information handling.
FedRAMP High¶
Control SC-28 (Protection of Information at Rest):
"Cryptographic mechanisms shall prevent unauthorized disclosure and modification of information."
Client-side encryption exceeds FedRAMP High requirements by encrypting data both at rest and in transit.
Verification¶
Audit Your Encryption¶
from pauhu.audit import verify_encryption
# Verify a specific request
audit = verify_encryption(
request_id="req_abc123",
api_key="pk_..."
)
print(audit.algorithm) # "AES-256-GCM"
print(audit.key_derivation) # "X25519"
print(audit.server_access) # "none"
print(audit.verified) # True
Independent Verification¶
Our client-side encryption implementation is audited by:
- KPMG Finland - Annual security audit
- Nixu Oy - Penetration testing
- Traficom NCSC-FI - Government certification
Audit reports available under NDA for enterprise customers.
Offline Mode¶
Client-side encryption works identically in offline mode:
from pauhu import Pauhu
# Offline mode with local models
client = Pauhu(
mode="offline",
models_path="/opt/pauhu/models"
)
# Same encryption, no network
result = client.translate(
text="Air-gapped facility report",
target="fi"
)
# Encryption keys never leave the device
assert result.metadata.network_used == False