Compliance¶
ASHA v0.4.2 - privacy tooling, not a certified compliance product.
What ASHA provides¶
- PII detection and masking before LLM calls
- Configurable fail-closed mode (
mode="strict") - Audit-friendly typed results (
ProcessResult.security, traces) - Local preprocessing without sending raw PII to cloud models (when self-hosted)
What ASHA does not provide¶
- Legal compliance certification (GDPR, HIPAA, SOC 2, etc.)
- Data processing agreements or audit reports
- Guaranteed detection of all PII in all locales
- Replacement for organizational privacy policies
Recommended practices¶
- Pin the version -
asha==0.4.2 - Use
mode="strict"for regulated paths where failure must block - Prefer
wrap_llm()overauto_patch()for scoped control - Log
result.degradedin balanced mode - indicates fallback was used - Review mask formats -
[EMAIL_HASH]_*tokens, not reversible by default - Combine with org controls - access policies, retention, DPA with LLM vendor
Reversible masking¶
Only enable when you have a documented need to restore values in LLM output:
from asha.core.policy_config import PolicyConfig
sanitize(prompt, policy=PolicyConfig(reversible=True))
Store masking_map securely - it can reverse pseudonymization.
Data residency¶
process() and sanitize() run locally. LLM calls via Agent or wrap_llm send processed prompts to the provider you configure.