TrustLayer: data de-identification for automation
TrustLayer is a purpose-built de-identification engine that sits between your business data and any AI processing. It detects personal information, replaces it with secure tokens, and restores the original values after the AI has done its work. Your data never leaves Australia. The AI never sees the real thing.
Architecture
TrustLayer intercepts data at two points in every AI-using automation: once on the way in (de-identify) and once on the way out (re-identify). The AI service only ever processes tokenised data.
Your automation trigger
A form, email, document, or scheduled event fires your automation. Raw data enters the flow.
TrustLayer de-identifies
Pattern detectors scan for PII. Each match is replaced with a unique token. The mapping is encrypted with AES-256-GCM and stored on Australian infrastructure with automatic expiry.
AI processes tokenised data
The AI model receives text like [PERSON_1] and [ABN_2]. It analyses, summarises, or categorises the content without ever seeing real personal information.
TrustLayer re-identifies
Tokens in the AI response are replaced with the original values. The final output is complete, accurate, and ready to use.
Output delivered
The automation completes: email sent, record updated, report generated. Full data integrity, no PII exposure to external services.
Industry profiles
Every client is assigned an industry profile that controls which detectors are active. This means TrustLayer scans for the data types that matter in your industry, not a one-size-fits-all check.
Standard business
- Names and identities
- Email addresses
- Phone numbers
- Physical addresses
- Dates of birth
Accounting, bookkeeping, financial services
- All general detectors
- Australian Business Numbers
- Tax File Numbers
- Bank account details
- Financial amounts
Allied health, medical, aged care
- All general detectors
- Medicare numbers
- Dates of birth
- Financial amounts
Legal practices, conveyancing
- All general detectors
- Australian Business Numbers
- Tax File Numbers
- Bank account details
- Financial amounts
Technical specifications
For IT teams and compliance officers reviewing OpFlow's data handling.
| Attribute | Detail |
|---|---|
| Hosting | Self-hosted on Australian infrastructure (not cloud SaaS) |
| Encryption at rest | AES-256-GCM for all token maps |
| Token format | Deterministic, category-prefixed (e.g. [PERSON_1], [ABN_2]) |
| Token map expiry | Configurable TTL per client, automatic purge |
| Detector categories | 10 (person, ABN, email, phone, address, bank, TFN, Medicare, amount, DOB) |
| Detection method | Pattern-based with longest-match-first deduplication |
| Audit logging | Immutable per-request entries (timestamp, client, action, detectors matched, token count) |
| Client reports | Processing reports and Data Processing Maps generated on demand |
| Authentication | Per-client API keys, bearer token |
| Bot Library coverage | 36 of 105 automation specs require TrustLayer (all AI-using flows) |
Audit and accountability
Every interaction with TrustLayer is recorded. You always know what happened, when, and to which data.
Processing reports
Regular summaries showing what PII was detected across your automations, broken down by detector category and volume. Delivered by email.
Data Processing Maps
A document showing exactly which data categories flow through each of your automations and how TrustLayer handles them. Useful for compliance reviews and internal audits.
Immutable audit log
Every de-identification and re-identification event is logged with a timestamp, the categories detected, and the number of tokens generated. Entries cannot be modified or deleted.
Compliance alignment
TrustLayer supports your compliance posture across Australian privacy and industry regulations.
Privacy Act 1988
De-identification aligns with APP 11 (security of personal information) by minimising the data sent to external processors. Token maps with automatic expiry support APP 11.2 (destruction when no longer needed).
Australian Privacy Principles
APP 6 (use and disclosure) is supported by ensuring AI services receive only tokenised data. APP 8 (cross-border disclosure) is mitigated because de-identified data sent overseas contains no personal information.
Industry-specific regulations
Health (My Health Records Act), finance (APRA CPS 234), and legal (professional conduct rules) all benefit from industry-tuned detection profiles that target the data types regulators care about.
AI disclosure requirements
With AI disclosure becoming mandatory for Australian businesses by December 2026, TrustLayer's audit trail and processing reports provide the documentation you need to demonstrate responsible AI use.
See TrustLayer in action
Book a free Automation Assessment and we will show you exactly how TrustLayer handles your industry's data types. The assessment includes a walkthrough of which automations would use TrustLayer and what your Data Processing Map would look like.
Book a free Assessment