The product

The Trinito AI Gateway

An on-premise appliance that lets your team use ChatGPT, Claude, and Gemini safely. Sometimes called an AI Firewall or AI Sanitiser — the job is the same: sensitive fields never leave your office unredacted.

Redacts UK personal identifiers (NI, postcodes, NHS numbers, etc.) and contextual business references (claim numbers, case refs, NHS client IDs) that could identify a client or matter — plus custom rules for your internal IDs.

Compliance teams: see how Trinito automates the technical controls of ISO/IEC 27701:2025

Architecture

Why an appliance, not SaaS or software-only

The on-premise architecture is the product. Move the sanitiser to the cloud and your data has to travel through that cloud to be redacted — the exact problem this product exists to solve. The appliance is what makes every other promise on this page literally true.

  1. 1. Prompts never leave unredacted Redaction runs in your building. SaaS prompt-firewalls handle raw content in transit to do their job. We do not — because the box is on your LAN.
  2. 2. The audit log is yours If Trinito vanishes, the log remains. A regulator gets a USB export from hardware you own — not a tenant in someone else's cloud.
  3. 3. One governed chat surface Staff use the Trinito chat on the LAN — the sanitiser, audit log, and model routing sit in one place. No per-endpoint agents to roll out or maintain.
  4. 4. Hardware acceleration included The integrated NPU runs sanitisation and local inference fast without bolting on extra kit.
  5. 5. One platform to support Tested updates on a known box — not "any Linux VM you happen to have."
Redaction pipeline

Three stages. Layered defence.

Trinito's redaction pipeline runs in three stages on the appliance — regex, named-entity recognition, then review before send.

  1. Regex pass

    UK personal identifiers — postcodes, NI and NHS numbers, VAT numbers, IBANs, sort codes, Luhn-validated cards, email, phone — plus contextual business references (claim numbers, case refs, NHS client IDs) where pattern packs apply. Fast and precise.

  2. Named entity recognition

    A local spaCy model finds person names, organisations, places, and money references that no regex can reliably catch.

  3. Deduplication and Pre-Send Preview

    Overlapping detections are merged. The user reviews the sanitised prompt and approves with one click before anything leaves the appliance.

Before
Draft an offer letter for Sarah Patel for the 3-bed flat at 14 Cromwell Road, SW7 4XL. Her solicitor is at Henderson & Co.
After
Draft an offer letter for [PERSON_1] for the 3-bed flat at [ADDRESS_1], [POSTCODE_1]. Her solicitor is at [ORG_1].

On the way back, placeholders are restored so the letter reads naturally.

Attachments

Files stay on the appliance. Only sanitised text is sent.

When someone drags a document onto the chat, the file is uploaded to the appliance and held locally. Apache Tika extracts text on the box — office documents and spreadsheets directly; images and scanned PDF pages via Tesseract through Tika. That text runs through the same three-stage sanitiser as a typed prompt.

What reaches the LLM is sanitised text embedded in the prompt. The original file is never sent to any provider's attachment API. This keeps the architecture provider-neutral and the data-residency claim absolute.

Shorter files can stay inline in the prompt for that conversation. Longer files can be indexed for retrieval so later turns pull only the relevant sections. Both modes are scoped to that one chat. For organisation-wide knowledge — handbooks, policies, case studies — see the document library below.

Supported at launch: PDF, DOCX, XLSX, CSV, PNG/JPG, and TXT. Spreadsheets are particularly useful — sensitive cells can be redacted while the model still analyses structure. Images or photos with no extractable text cannot be processed — the upload is marked extraction failed and can be retried or removed.

Document library

Your company knowledge, on the appliance

Upload your handbook, policies, case studies, and reference material. The chat retrieves from them as context — with the same privacy guarantees as every other prompt. Documents stay on the appliance; what leaves the box is sanitised, the same as user prompts.

Three tiers of visibility

Org library
Visible to every user in the organisation. Brand guidelines, policies, the employee handbook, case studies. Admin-managed via the appliance admin pages.
Personal library
Per-user case files, working notes, and personal templates — scoped so one user's library never leaks into another user's chat. The database enforces this at query time.
Conversation attachments
Drag a file into a specific chat to discuss it. Default is inline mode — the appliance extracts and redacts the file, then includes it directly in the prompt body. For longer documents, an explicit Add to RAG for this conversation action chunks and indexes the document so later turns retrieve only the relevant sections. Both modes stay in that one conversation.

Scope is enforced at the database query level, not as a policy checkbox in application code. Even a privileged user cannot retrieve another user's personal library rows — the SQL query cannot return them. Uploads run through classification detection and chip review: you see every name and identifier the sanitiser found, and you can release intentional disclosures (a founder's name in a brand guide, a customer name in a case study). Each release is recorded in the audit log.

When a response used document context, the chat shows its sources — document title, content type, and sensitivity level — so the user knows where the answer came from. Every outbound send still passes through the sanitiser and Pre-Send Preview.

Document library workflow

LLM router

Use any model. Control who uses what.

The Gateway can route to:

  • Local models on the appliance Qwen 2.5, Llama, and others — included with the appliance.
  • Trinito Cloud Our managed subscription — monthly token allowance on Compact and Standard, customer-cancellable. Free starter allowance bundled so the box is useful from day one.
  • Your own keys BYO OpenAI, Anthropic, and Google. Keys stored encrypted on the appliance (libsodium secret-box) and used directly from the box.

In every case, the appliance talks to the LLM provider directly. Trinito's servers are not in the prompt path — we never see the prompt, response, or your API key. Our licensing server only issues signed config (subscriptions, caps) on a daily check-in. The admin chooses per-model access, credentials, and catalogue additions.

Audit log

Every prompt processed. Every redaction. On the appliance.

An append-only, hash-chained audit log records every prompt processed, every redaction decision, and every external send. The log stores cryptographic hashes of prompt and response content — not the content itself — so we can evidence what happened without retaining the underlying personal data. Tampering with the chain is detectable on export; the database enforces append-only behaviour via a row-level trigger. Compliance can export from the appliance on demand.

Conversation history — which retains prompt and response text for user reference — lives in a separate per-user store on the appliance, encrypted at rest. Conversation-scoped attachments can be removed from chat.

Hardware specs

Three appliances. Capability scales with tier.

Specs-first overview. See pricing for list prices.

Trinito Compact Trinito Standard Trinito Sovereign
CPU / NPU 8-core CPU with integrated 50 TOPS NPU 8-core CPU with integrated 50 TOPS NPU 12-core CPU with integrated 80 TOPS NPU
Unified memory 32 GB 64 GB 96–128 GB
Storage 1 TB NVMe 3 TB NVMe 4 TB NVMe
Inference throughput ~8 tok/s on Qwen 2.5 7B ~15 tok/s on Qwen 2.5 7B ~80 tok/s on Qwen 2.5 7B
Noise level Near-silent (fanless) Near-silent (fanless) Near-silent
Power draw ~28 W typical ~32 W typical ~90 W typical
Dimensions 192 × 192 × 48 mm 192 × 192 × 48 mm 262 × 197 × 80 mm
Warranty 3 years 3 years + priority support 3 years
Deployment

What installation looks like.

  • Plugs into your office network
  • First-boot Automatically configured
  • Browse. Login. Chat. Done.
Comparison

Four options, one that actually works.

The homepage table, expanded for buyers who need the detail.

Do nothing Block AI tools SaaS DLP Trinito AI Gateway
Staff use AI Yes Only on phones Yes Yes
Data stays in your office No Yes No — via vendor Yes
Audit trail None Partial Vendor-hosted On-appliance, hash-chained
Works with ChatGPT / Claude / Gemini Yes No Some All three, plus more
Capex, not per-seat Per-seat One box, monthly LLM
UK detector pack built in Vendor-configured builtin-uk-v1 out of the box
Air-gapped deployment No Sovereign tier
UK-built Mostly US Yes

See it running

See curated sanitiser examples on the website, then talk to us about putting the same pipeline on your network.