Since our latest article was about data leaks we had no other choice except to deep dive into this topic. That piece looked at it from the outside: what they are, why they happen, and who’s responsible. This one goes inside: into the architecture, the safeguards and the day-to-day practices we use at Lerpal to keep sensitive data away from models. 

Because prompt engineering won’t fix a security problem that starts long before a prompt is written.

Here’s the thing: prompt engineering won’t help with security. You are passing data to the LLM anyway and that’s where the potential leak can happen. You can craft the perfect prompt, optimize for accuracy, tune for performance, but none of that stops the model from seeing and potentially memorizing your sensitive data.

The real work happens before any prompt exists. Architecture review became essential for the Lerpal team, building that encapsulation layer for sensitive data. This layer handles masking, prepares embeddings and rewrites data to rephrase sensitive information. It has nothing to do with LLM inferencing and everything to do with data transformation.

Metaphor moment: try to think of it like airport security. The prompt is your boarding pass – nicely formatted with a clear destination. The real security happens at the checkpoint, long before you reach the gate. Every piece of data gets screened, suspicious items get flagged and anything dangerous never makes it through.

The ID Game: Making Everything Anonymous

The core principle is simple: never operate with raw data in your application. Everything sensitive gets hashed or encrypted and assigned an ID. Your application only knows that Customer_789 has Query_3 about Product_B. The actual names, emails and account numbers stay locked away.

This extends to system design. Packages communicating with LLMs run with weak roles: no admin rights, minimal permissions. The system restricts dependencies to prevent unauthorized LLM communication. If a package doesn’t need to talk to the model, it can’t talk to the model. Simple as that.

For PII masking, the technique is straightforward: assign IDs to sensitive client data and operate with IDs only. The mapping between IDs and real values lives in secured storage, accessed only when absolutely necessary and never near the LLM pipeline.

The “Feed It Everything” Conversation

Clients may want to upload entire databases to see what insights emerge. When these requests come in, the conversation starts with requirements gathering. If potential sensitive data leaks are detected, the proposal becomes: let’s not use that data at all until we can architect proper protection – masking, hashing or another approach that maintains functionality without exposure.

The key is that clients make their own decisions but with full information. What we do is explain the risks, propose alternatives, show how the same goals can be achieved safely. Sometimes that means waiting to implement features until the right safeguards exist. Better to delay than to leak.

Hosting: Control vs. Convenience

The hosting decision shapes everything else. Self-hosted models on private networks give complete control: your data never leaves your infrastructure. The alternative involves careful agreements with LLM providers ensuring they don’t store your data or keep it encrypted.

Model isolation varies by need. Could be serverless, could be cloud-provided, could be custom GPU clusters. Building responsive, scalable LLM infrastructure from scratch is painful, so the choice depends on your specific requirements. For applications, it is usually Docker and Kubernetes as standard practice.

When Users Try to Jailbreak

LLMs faced the same injection vulnerabilities that plagued SQL databases. Users craft inputs trying to make models spill secrets, ignore instructions, or behave like malicious actors. The creativity is impressive. The defense happens at multiple levels. 

The (Boring?) Infrastructure 

Security lives in the unglamorous details. AWS Secret Manager and GCP Secret Manager handle credential storage. Regular rotation keeps keys fresh. Langsmith and Datadog provide monitoring: tracking failure rates, critical errors, costs, and usage patterns.

For validation, Pydantic integrates with Langchain to ensure structured output. It checks that responses contain required fields, validates data types and can enforce custom rules. 

Logging happens through MLflow (open source, self-hosted) or Langsmith (proprietary, cloud). Every request and response gets captured.

The Security Checklist

Building a secure LLM module requires five non-negotiable elements:

Proper architecture – separation of concerns, clear data flow, controlled boundaries between components.

Self-hosted models – complete control over data flow, no external transmission, everything within your network.

Custom infrastructure – no external API calls to LLM tools in the critical path, everything stays controlled.

Masking – systematic transformation before data reaches the model, PII becomes tokens, credentials become hashes.

ID-based operations – never work with raw data in the application, hide everything under IDs or masks.

Skip any of these and you are gambling with your data.

So..

Your LLM doesn’t care about your secrets. It just processes patterns. Whether those patterns include sensitive data depends entirely on the architecture you build around it. The model will happily memorize and potentially reproduce anything you feed it.

But with proper architecture, systematic data handling and operational discipline LLMs become powerful tools that enhance your project without compromising security. These are battle-tested patterns keeping systems safe.

Choose your architecture wisely, implement carefully and sleep better knowing your API keys aren’t being memorized by a model somewhere in the cloud.