u/Thadec

Hey all,

as the title says, I need some input about the side business I am working on next to my day job. No advertisement in this post.

About me :

(EU based) Day job is enterprise consulting - focus on ITSM for large regulated companies (mostly). Around 10 years working in the IT industry. The project started around 3-4 months ago and I am a lot of hours into this project next to my job.

The pattern I noticed for a lot of customers: "We would love to use new tech like AI, but the compliance is a nightmare so we can't." Since this year , I am additionally hearing : "What about the EU AI Act? We dont want to start right now." I also experienced the issue first hand : Claude Code could speed up my work -->can't use it on customers instances --> dont use it at all.

The rough concept:

A gateway/layer that sits between the company's apps and whichever LLM they use. It has 3 jobs:

Step 1 Sanitize prompts before they hit the LLM (replace names, emails , ids etc. with placeholders before the LLM session them, restores them on the way back (user doesnt see a difference).

Step 2 Produce a cryptographically signed certificate for every call (auditor can prove later the model didn't see raw identity data and that the log wasn't edited)

Step 3 Work with whichever LLM the customer already picked -- fully self hosted for enterprise

The whole architecture is more complex and has features like(custom trained sanitizer model per enterprise customer that assists the sanitisation layer).

What I want to understand is :

1. In your opinion, is it a real problem or a "me in my bubble problem?"

2)Does the idea talk to you in any way or too difficult to understand ?

3)Is the problem I am trying to solve clear.

Disclaimer: I posted a similar post already in a very small niche subreddit and got decent feedback.

Thank you so much for reading, any feedback appreciated!

Thadec

Disclaimer: There is no advertisement in this post nor on my profile .

Hey all,

I have been working since a couple of months on a product idea, and as I am getting close to the end of the MVP, I want to do a sanity check with people in the EU market before I push further, since I am no longer sure if the positioning is clear, or if I am only scratching my own itch. Just as an important note upfront, it works quite well already, but it is not flawless yet, and a lot more work will be needed to bring it to a real enterprise level.

For some context, I work full time as a process consultant in IT, and the idea was born from a simple frustration, namely that I would love to use tools like Claude Code in my day job, but cannot, because everything I touch lives on a customer's instance and the compliance risk is just too high. I am based in Europe, which is also the main target market initially, since the regulatory pressure here is heavier and only getting heavier.

The general idea, from an enterprise POV, is roughly the following: the customer gets the requirement configured into the gateway, which includes a Sanitizer Config (a classic regex filter plus one more "dumb layer") and a custom trained "small" local model, up to around 70B depending on the requirement. The architecture itself splits the data stream into 2 separate Kubernetes Clusters, where one stays on the customer side and is encrypted, and is connected only via a token to Cluster B, which is the part that actually sees the outgoing prompt.

Every single call produces a fully traceable and verifiable receipt, containing things like which detection layers fired, what was redacted, hashes, timestamps and a signature from each zone, so that external auditors can verify the receipt publicly with a public key, even years later, and even if my company would no longer exist (my company, not the customer's).

There are 2 approaches at the moment, solo dev and enterprise, both working on the same principle but with different shapes. For solo dev, the whole gateway is hosted by me on an EU compliant server hoster, while for enterprise, it is fully self hosted inside the customer's own environment, and each enterprise customer also gets their own detection model, custom trained on their requirement and on extrapolated fake data that is created from their actual data structure or test data. As a funny side story, I already had an involuntary pentest of the architecture, when I left a port open on my demo server, and some hackers found their way in, but were not able to leave one of the clusters and eventually left again. A free real world stress test, I guess.

It is really hard to compress the whole concept into a couple of paragraphs, so I clearly have to get better at that, but I hope it came across what I am trying to achieve. Target customers right now would be high compliance organisations based in Europe, or at least doing business in Europe, that face issues with the use of AI in their internal workflows, while on the solo dev side, I see mostly consultants or freelancers who deal with sensitive topics or compliance constraints in general.

There are two questions where I would really appreciate honest feedback. First, does what I described actually make sense, or do I really need to work on my product explanation? And second, does this sound like something useful in practice, or is it in the end just an over engineered redaction engine?

I never launched anything so far myself and getting feedback from non friends especially in this space feels almost impossible. Sorry if this still breaks rules , it feels almost impossible to get feedback on reddit these days towards product ideas.

Thank you so much for reading this !

Thadec