What does SOWA Privacy do?

SOWA Privacy is a Chrome extension that detects and replaces sensitive data in AI prompts locally – in your browser – before the prompt reaches ChatGPT, Claude, Gemini, or any other AI tool.

Is SOWA Privacy free?

Yes. The Starter plan is free forever and includes 30+ regex patterns, basic NER detection, and TXT file scanning. Pro (4.99 EUR per month), Business (7.99 EUR per user per month), and Enterprise (custom) unlock additional features.

Which AI tools does SOWA Privacy work with?

SOWA Privacy works with ChatGPT, Claude, Gemini, Microsoft Copilot, Grok, Perplexity, HuggingFace Chat, and any self-hosted OpenAI-compatible interface.

Is SOWA Privacy GDPR compliant?

SOWA Privacy is designed for GDPR compliance. All detection runs locally in the browser, no prompt data is transmitted to SOWA servers, and the source code is open-source under MIT license for full auditability.

Does SOWA Privacy send my data to any server?

No. Detection runs entirely in your browser using local regex, ONNX-based NER models, and optionally local LLMs. Only the placeholder-replaced prompt is forwarded to the AI provider you choose.

AI Privacy for industry & critical infrastructure

The risk: your IP in someone else's prompt window

Engineers, operators, and analysts reach for AI to debug a controller, summarise an incident, or draft a supplier email – and paste in exactly the things a company most needs to protect: design parameters, source code, plant data, contract terms, fault logs. Once that text leaves the browser, it sits on a third-party provider's infrastructure, outside your control.

For industrial firms that isn't a privacy footnote – it's the crown jewels. A single pasted specification can erode an advantage built over years, and trade-secret protection legally depends on having taken reasonable steps to keep the information confidential.

KRITIS & NIS2: a higher bar

Operators of critical infrastructure – energy, water, telecoms, transport, healthcare, finance, food – carry duties beyond ordinary firms. Germany's KRITIS regime and the EU-wide NIS2 directive require risk management, supply-chain security, and control over how operational data is handled.

Uncontrolled AI use cuts straight across that: pasting SCADA tags, network topology, asset registers, or incident detail into a public chatbot is an information-security event that's hard to square with NIS2 duties. SOWA Privacy keeps that operational data on the workstation, so staff can still use AI without widening the attack surface.

What SOWA detects

Three local layers run before anything is sent: regex for structured identifiers, an optional multilingual NER layer for names and organisations, and a user-managed blacklist for the terms unique to your operation.

Trade-secret markers

Words that flag confidential material.

confidentialtrade secretprototypepatent pendinginternal onlydo not distributeproprietary

Asset & OT data

Operational identifiers caught by custom regex.

asset IDPLC tagSCADApart numberserial no.plant codeline ID

Projects & partners

Caught contextually by the NER layer.

project codenamessupplier namescustomer namescontract valuevendor list

People & access

Identities and credentials.

employee IDsnamesAPI keyspasswordsaccess tokensVPN

Lock it down for OT and IT

No cloud round-trip

Detection runs entirely in the browser. The regex layer and blacklist need zero network; the optional NER model downloads once and then works fully offline – a fit for tightly controlled, segmented environments.

Open and auditable

The engine is open-source (MIT), so a security team can review it, run it in-house, and confirm exactly what leaves the endpoint – placeholders, not secrets.

Standardise per site

From Settings → Detection → Custom rules & lists, an admin can add asset-ID and part-number formats as custom regex, blacklist project codenames, and ship a .sowa.json rule set to every workstation on the plant.

SOWA Privacy is a privacy tool, not legal or compliance advice. Local anonymisation is a strong technical control, but each operator should map it to its own KRITIS/NIS2 risk assessment and information-security management system.

Try for free See how it works Read the security model