How It Works

The honest version, for the people who'd ask.

Decoy splits analytical work into two layers. The cloud plans. Your machine does the work. The data never leaves your device, and the maths is right because it never goes through a cloud model's arithmetic. This page walks through what each side does, what it sees, and what it doesn't. If something doesn't add up, write to us.

The Architecture

Two layers, not one.

Most privacy tools for AI strip your sensitive data, send the prompt to the cloud, and pass the answer back. Same architecture as before, with a redaction step bolted on. Decoy is different.

Decoy splits analytical work into two layers. The cloud is given a tokenised prompt and explicit instructions: do not compute. Return a structured plan describing the work that needs to be done, expressed as operations over the tokens you were given. The cloud's job is to think about the shape of the problem.

Your machine does the actual work. A local engine parses the plan, substitutes tokens for real values, and runs the operations against ground truth. Multiply, add, max, percentile, filter. The maths happens in your browser, deterministically, never in the cloud.

The cloud handles reasoning. Your machine handles arithmetic. Two layers, each doing what they're best at.

01LOCAL TOKENISER 02CLOUD PLANNER 03LOCAL EXECUTOR

The Full Flow

Eight steps. Four on your side. Four on theirs.

If you want the technical detail, here is what actually happens between you typing a question and seeing an answer.

This is how it works today. The MVP is a paste-based web app, which is honest but clunky. Post-MVP we're working toward a different shape: a paste shortcut, a browser extension, eventually OS-level integration so Decoy disappears into the workflow. The architecture stays the same. The surface gets quieter.

  1. 01
    You paste. Sensitive data and a question, dropped into Decoy in your browser. Nothing has left your machine.
  2. 02
    Decoy reads. A local NER model and a regex layer scan the text for names, organisations, identifiers, currency, dates, percentages. Everything sensitive gets flagged.
  3. 03
    Decoy dehydrates the data. Each flagged entity is replaced with a stable opaque token: [C_xxxx] for companies, [P_xxxx] for people, [N_xxxx] for numbers. The token-to-value mapping is held in your browser memory only.
  4. 04
    You confirm the mask. Decoy shows you what's about to be sent and what's been hidden. You can adjust either side before sending.
  5. 05
    The cloud plans. The tokenised prompt goes to your chosen LLM (Claude, GPT, Gemini, your API key, your choice) with strict instructions: do not compute, return a structured JSON plan composing operations against the literal tokens.
  6. 06
    The cloud returns the plan. A JSON document with a list of formulas, each one written as multiply([N_2201], [N_2202], 2) or similar. No real values. The cloud cannot reconstruct your data because it never had it.
  7. 07
    Decoy rehydrates and executes. A small deterministic engine in your browser parses the JSON, substitutes tokens for their real values from the in-memory map, and runs the operations. It can multiply, add, subtract, divide, max, min, average, percentile, compare, sort, filter. Anything outside that closed set, the engine refuses.
  8. 08
    You see the answer. Real values rehydrated. Each result shows its formula and inputs. You can audit every number back to the source row. When you end the session, the mapping is destroyed.

What The Cloud Sees

What the cloud sees. What the cloud returns. Neither contains your data.

The cloud gets a tokenised prompt and returns a JSON plan. No real values cross the network in either direction. Below is the exact exchange from the demo on the home page.

What you pasted
─────────────────────────────────
Acme Corp bought 4,200 units in Q3 at $89 per unit. Their account manager Sarah Chen reports they're considering doubling their order in Q4.

Forecast Q4 revenue per account, total Q4 revenue, and flag the highest-risk account if any one of them churned.
What the cloud saw
─────────────────────────────────
[C_8847] bought [N_2201] units in [P_03] at [N_2202] per unit. Their account manager [P_4419] reports they're considering doubling their order in [P_04].

Forecast [P_04] revenue per account, total [P_04] revenue, and flag the highest-risk account if any one of them churned.
What the cloud returned
─────────────────────────────────
{
  "forecasts": [
    {
      "account": "[C_8847]",
      "manager": "[P_4419]",
      "growth_assumption": "double in [P_04]",
      "formula": {
        "operation": "multiply",
        "operands": ["[N_2201]", "[N_2202]", 2]
      }
    },
    {
      "account": "[C_8848]",
      "manager": "[P_4420]",
      "growth_assumption": "flat in [P_04]",
      "formula": {
        "operation": "multiply",
        "operands": ["[N_2203]", "[N_2204]", 1]
      }
    },
    {
      "account": "[C_8849]",
      "manager": "[P_4421]",
      "growth_assumption": "+30% in [P_04]",
      "formula": {
        "operation": "multiply",
        "operands": ["[N_2205]", "[N_2206]", 1.3]
      }
    }
  ],
  "total": {
    "operation": "add",
    "operands": ["forecast[0]", "forecast[1]", "forecast[2]"]
  },
  "highest_risk": {
    "operation": "max_of_forecasts",
    "rationale": "[C_8848] [P_4420] flat [P_04]"
  }
}

The middle column is everything the cloud received. The right column is everything the cloud returned. There are no real values in either. The cloud cannot reconstruct your data because it never had it, and the cloud cannot answer the question because it was never asked to. It composed a plan. Your machine ran it.

What We Didn't Expect

The architecture makes Decoy more accurate than the cloud alone.

Because the cloud never does the arithmetic, the answer can't be wrong in the way LLM answers usually are. There's no hallucinated total, no confident misranking, no "this number sounds right" guess. The cloud composes a plan. Your machine runs it against real values. The answer is whatever the formula returns.

In our proof-of-concept test, the cloud's plan included a rationale field where it picked the highest-risk customer account. The cloud picked Beta Industries at $201,600, and missed that Acme Corp at $747,600 was the real exposure. The local executor caught it because it was running max_of_forecasts against the actual numbers, not against the cloud's guess.

Privacy was the goal. Better answers were the surprise. Both fall out of the same architecture.

What We Don't Do

Some things we want to be clear about.

We don't run a server in the data path. Decoy is a static web app. There is no Decoy backend that sees your prompts, your API key, or your data. We literally couldn't read your data if we wanted to, there's no place we'd read it from.

We don't store anything between sessions by default. The mapping between tokens and real values is held in your browser's memory and destroyed when you close the tab or end the session. Optional opt-in session resume uses your browser's IndexedDB only, never our servers, because we don't have any.

We don't intermediate your LLM provider. You bring your own API key. Your prompts go directly to Anthropic, OpenAI, or Google. Their privacy policy applies, not ours.

We don't see your usage. No analytics, no telemetry, no tracking pixels. We don't know what tasks you reach for Decoy on, who you are, or how often you use it. If you tell us, we'll know. If you don't, we won't.

We don't claim to solve every privacy problem. If your industry requires data residency, formal certification, audit logging, or specific frameworks like IRAP, the v1 web app is not the right shape for that yet. Talk to us. We're building toward it, and you might be the first one we build it with.

Open Questions

Things we're still working on.

Magnitude leakage. A very large number can be identifying even when tokenised. "$400M revenue from a Sydney audio company" maps to one company. We have an opt-in bucketing mode in development for high-sensitivity tasks. Right now you should know it exists as a consideration.

Free-text generation. The planning + execution split fits analytical tasks. It doesn't fit "write me an email about [C_8847]." We're not solving that with Decoy in v1. There may be a different shape of product for it later.

Schema robustness. The cloud model occasionally returns a malformed JSON plan. Decoy retries with a tighter prompt and falls back to a human-readable plan if that fails. This is rare but it happens. We log it locally and we're improving it.

Operation coverage. The closed set (multiply, add, max, percentile, filter, etc.) covers most spreadsheet-like work. It doesn't cover advanced statistics, ML-style operations, or anything requiring custom code. We add primitives as new patterns emerge from real use.

Regulated Industries

We're building toward enterprise. We're not there yet.

Decoy v1 is a single-user web app. It is not currently SOC 2, ISO 27001, IRAP, or HIPAA assessed. It does not yet offer the audit logging, admin controls, or data residency guarantees that procurement teams in finance, healthcare, defence, and government need.

We're building toward all of that. The architecture supports it. The certifications take time and money. The bigger picture is what comes after: Decoy as the layer that lets agent stacks, AI platforms, and internal copilots work on data they currently can't touch. Frontier reasoning, available to organisations that today have to say no.

If you work somewhere where those things are required, or if you're building the kind of platform that needs a privacy layer to ship into regulated environments, we'd genuinely like to hear from you.

Tell us about your team ›

If Something's Off

Write to us.

If you've read this page and you've spotted a hole in our reasoning, an architecture concern, a privacy claim that doesn't quite hold, or just a question we should be answering and aren't, tell us. We'd rather have the conversation than have you wonder.

[email protected]