REFERENCE
Glossary
Plain-language definitions of the privacy and AI terms that show up most often when people ask how Sonomos works. Each entry links to the related concepts and to the parts of the product that handle them.
Data Masking
Replacing sensitive values with realistic-looking substitutes so the data remains usable while the originals never leave the device.
Read definitionTokenization
Replacing a sensitive value with a non-sensitive token that maps back to the original through a separate, controlled lookup.
Read definitionPersonally Identifiable Information (PII)
Any information that can identify a specific person, either directly (name, SSN) or in combination with other data (zip code + birthdate).
Read definitionProtected Health Information (PHI)
Individually identifiable health information held or transmitted by a covered entity, regulated under HIPAA in the United States.
Read definitionPrompt Leakage
The unintended disclosure of sensitive information through the content of a prompt sent to an AI model.
Read definitionZero-Knowledge Processing
An architecture where the service provider has no technical ability to read user data, because all sensitive processing happens on the client.
Read definitionPrivacy Layer for AI
A control point between a user and an AI service that detects, transforms, or blocks sensitive data before it reaches the model.
Read definitionOn-Device AI
Running model inference or pre-processing entirely on the user's machine instead of sending data to a cloud service.
Read definitionRedaction
Removing or blacking-out sensitive content so it is no longer present in the document or prompt.
Read definitionContextual Matching
Detecting sensitive data by combining structural patterns with surrounding context, instead of relying on regex alone.
Read definitionPrompt Injection
An attack where adversarial instructions hidden inside user input or external content trick an AI model into ignoring its original instructions.
Read definitionShadow AI
Employees using AI tools at work without organisational sanction — the AI-era version of shadow IT.
Read definitionData Loss Prevention (DLP)
A category of security tooling that inspects outbound data flows to prevent sensitive content from leaving an organisation's control.
Read definitionNamed Entity Recognition (NER)
An NLP technique that identifies and classifies real-world entities — people, organisations, locations — within free-form text.
Read definitionAttorney-Client Privilege
A legal doctrine protecting confidential communications between a lawyer and client from compelled disclosure — and one of the easiest privileges to inadvertently waive.
Read definitionHIPAA
The U.S. Health Insurance Portability and Accountability Act, which sets privacy and security rules for individually identifiable health information held by covered entities.
Read definitionGDPR
The EU General Data Protection Regulation — the world's most comprehensive data-protection law, governing how organisations handle personal data of EU residents.
Read definitionCCPA
The California Consumer Privacy Act and its 2023 successor, the CPRA — the United States' most influential state-level privacy law.
Read definitionBusiness Associate Agreement (BAA)
A HIPAA-mandated contract between a covered entity and a vendor that handles PHI on its behalf, defining each party's privacy and security obligations.
Read definitionData Processing Agreement (DPA)
A GDPR-mandated contract between a controller and a processor that governs how personal data is handled on the controller's behalf.
Read definitionPseudonymization
Replacing direct identifiers with stable pseudonyms so the data can no longer identify a person without additional information held separately.
Read definitionGLBA (Gramm-Leach-Bliley Act)
The U.S. federal law requiring financial institutions to protect the nonpublic personal information of their customers and explain their data-sharing practices.
Read definitionFERPA (Family Educational Rights and Privacy Act)
The U.S. federal law that protects the privacy of student education records held by institutions receiving federal funding.
Read definitionDe-identification
The process of removing or obscuring identifiers from health data so it no longer identifies an individual, removing it from HIPAA's scope.
Read definitionData Minimization
The privacy principle of collecting and processing only the minimum personal data necessary for a specific, stated purpose.
Read definitionPCI DSS
The Payment Card Industry Data Security Standard — the global security framework that governs how organisations protect cardholder data wherever it is stored, processed, or transmitted.
Read definitionSOC 2
A security audit framework for service organisations that tests whether controls over security, availability, processing integrity, confidentiality, and privacy are suitably designed and operating effectively.
Read definitionBIPA (Biometric Information Privacy Act)
Illinois' 2008 law requiring informed written consent before collecting biometric data — the most-litigated AI-adjacent privacy statute in the United States, with statutory damages of $1,000–$5,000 per violation.
Read definitionAutomated Decision-Making (ADM)
Using algorithms or AI systems to make or substantially influence decisions about individuals — regulated under GDPR Article 22, Colorado SB 24-205, and a growing number of state and sector laws.
Read definitionEU AI Act
The European Union's comprehensive AI regulation, which classifies AI systems by risk level and imposes conformity assessments, transparency obligations, and prohibitions on certain high-risk uses.
Read definitionCOPPA (Children's Online Privacy Protection Act)
The U.S. federal law requiring verifiable parental consent before online services collect personal information from children under 13.
Read definitionAnonymization
Irreversibly transforming personal data so that no person can be identified, even with additional information.
Read definition
Looking for the deeper how-it-works view? See the methodology page for detection logic, the security page for the architectural model, or the comparisons page for how Sonomos sits next to other approaches.
