mapping
read at step 5
audited access
One engine behind every surface#
The engine is the invariant part of the platform. Whether traffic arrives from an application pointed at the gateway, from the Salus Desktop endpoint agent on a managed laptop, or from the Workspace client, it lands in the same pipeline: detect → tokenize → policy → egress → restore. That is why tokens stay consistent across surfaces, why policy is written once, and why the audit trail is one stream rather than one per product.
The components#
- Gateway / data plane — receives traffic from capture lanes, orchestrates mask → forward → restore, and originates provider egress. Stateless and horizontally scalable.
- Detection engine — the self-hosted PII model for free text, deterministic validators for structured identifiers, and optional visual detection for documents and images. Runs entirely inside the customer environment.
- Tokenizer — typed, deterministic, HMAC-backed token generation with configurable scope, as described in Tokenization.
- Vault — the token-to-value mapping, envelope-encrypted under customer-controlled keys. Covered in Vault.
- Policy engine — declarative rules per user, group, app, agent, data class, destination, and risk level. Policy-as-code; a bad policy push is rejected and the last-known-good policy stays active.
- Audit and observability — policy decisions, token events, and restores, exported to the customer SIEM. Logs carry tokens and metadata rather than raw values.
Trust property#
The division of labor is deliberate: the local detection intelligence is allowed to see real values because it runs inside the customer environment; the external answer-writing model cannot see them because it receives tokens only. Everything that can re-identify a token — vault, keys, policy, restore — stays on the customer side of the boundary.