Privacy mode: your data never leaves your browser
If you paste your own OpenAI or Anthropic API key, EDI-X12 calls the AI directly from your browser. Our server is bypassed entirely.
The two modes
Default mode (server-routed)
EDI text is sent from your browser to edix12.cleardata.app/api/assistant.php. The server forwards it to OpenAI or Anthropic using our API keys, then returns the response. Server-side logging records the request timestamp, transaction type, and prompt character count — but not the EDI payload itself.
Privacy mode (BYO key)
You paste your own OpenAI or Anthropic API key into the in-app key drawer. The key is stored in your browser's localStorage only. When you click Validate or Explain, the JavaScript calls https://api.openai.com or https://api.anthropic.com directly. Our server is not involved.
Why this matters
- Compliance. Some retailers (especially in regulated industries) have data-residency or third-party-processor restrictions. Privacy mode keeps the EDI payload between you and the AI provider.
- Volume. If you're running hundreds of explanations a day, our free quota will gate you. BYO key removes the quota.
- Audit trail. AI provider logs are visible in your own OpenAI / Anthropic dashboard. You can see exactly what was sent.
What we log in privacy mode
- That a request happened (timestamp, anonymous ID, "byo": true). Used for usage statistics, never linked to content.
- Nothing about the EDI payload, the prompt, or the AI response.
- Your API key is never sent to our server. It is stored in your browser localStorage and read only by the in-page JavaScript when calling the provider.
What the AI provider sees
OpenAI and Anthropic both log API calls under your account. By default they may use logs for abuse monitoring. Both offer enterprise / zero-retention modes if you require them. EDI-X12 doesn't influence those settings — they're between you and the provider.
How to enable privacy mode
- Get an API key from OpenAI or Anthropic.
- Open EDI-X12, click the account button, then "Use my own API key."
- Paste the key. Pick the provider.
- The privacy chip in the UI turns green. Every AI call now bypasses our server.
What we still don't recommend pasting
Even in privacy mode, your data still leaves your machine to reach OpenAI / Anthropic. Don't paste:
- Protected health information (PHI). Healthcare EDI is blocked at the application layer regardless of mode.
- Live API secrets, payment data, or SSNs.
- Anything covered by an NDA that prohibits AI provider transmission.
Threat model
- Attacker on your network — TLS protects the request to OpenAI/Anthropic. EDI-X12 doesn't see it either way.
- Attacker on EDI-X12 infrastructure — In privacy mode, there's no payload on our infra to compromise.
- Browser compromise — A compromised browser can read localStorage. Don't store keys on shared machines.
Get a key from your AI provider, paste it once, and your EDI files stop traversing our servers.
Open the validator