Skip to main content

Format-/structure-preserving tokenization for JSON payloads (Spark/Glue friendly).

Project description

OpenPII Vault

Privacy-first tokenization and vaulting for modern data pipelines.
OpenPII Vault makes it easy to de-identify, tokenize, and vault PII at ingestion — not at the end of your data lifecycle — so analytics, AI, and compliance teams can safely collaborate on secure, privacy-preserving datasets.

CI License Python PyPI

Author: Shobha Sethuraman (shobha.sethuraman@gmail.com)


💡 Why OpenPII Vault?

OpenPII Vault helps data teams handle Personally Identifiable Information (PII) responsibly — without slowing down analytics or product velocity.

Instead of keeping sensitive data in its raw form until the end of its lifecycle, OpenPII Vault lets you de-identify at the source, ensuring:

  • 🔒 Privacy by design — PII is tokenized or vaulted immediately upon collection.
  • Analytics-ready — Deterministic tokenization preserves joins, counts, and correlations.
  • 🧠 LLM-safe data sharing — large datasets can be scanned and trained on without privacy risk.
  • 🧩 Vaulted reversibility — selectively re-identify authorized data for operations or compliance.
  • 🧰 Plug-and-play integration — works with AWS Glue, PySpark, and Iceberg tables.
  • 🪶 Lightweight — pure Python, easy to deploy in ETL or streaming contexts.

🚀 Quickstart

Install:

pip install openpii-vault

Tokenize a JSON record (for example, from a DynamoDB CDC event):

from openpii_vault.tokenize_cdc_df import tokenize_json_str

json_record = {
    "subject_id": "user123",
    "email": "alice@example.com",
    "phones": ["+1-555-111-2222"],
    "address": {"street": "123 Main St", "city": "Denver"},
}

pii_paths = {
    "email": "$.email",
    "phone": "$.phones[*]",
    "address": "$.address.street",
}

tokenized, vault_rows = tokenize_json_str(
    json_str=json_record,
    pii_paths=pii_paths,
    subject_id="user123",
    product_id="checkout",
)

print(tokenized)
print(vault_rows)

🧩 Example: AWS Glue / Iceberg Integration

Below is an example AWS Glue job that reads DynamoDB CDC JSONs from S3, tokenizes PII in-place, and writes to Iceberg for long-term analytics storage:

from pyspark.sql import SparkSession
from openpii_vault.spark_udf import tokenize_pii_udf

spark = SparkSession.builder.appName("tokenize-cdc").getOrCreate()

raw_df = spark.read.json("s3://my-landing-zone/dynamodb/checkout_events/")

pii_config = {
    "email": "$.contact.email",
    "phone": "$.contact.phones[*]",
    "name": "$.user.name",
}

tokenized_df = raw_df.withColumn("data", tokenize_pii_udf("data", pii_config))

(
    tokenized_df.writeTo("glue_catalog.raw_persistent.checkout_events")
    .option("partitioning", "date, subject_id")
    .tableProperty("format", "iceberg")
    .append()
)

🧱 Architecture (at a glance)

[ Ingestion (CDC from DynamoDB) ]
           ↓
 [ Tokenization + Vaulting (Glue Job) ]
           ↓
 [ Iceberg  (PII-free) Zone ]
           ↓
 [ Analytics & AI Use Cases ]
           ↓
 [ Optional Vault (for reversible lookups) ]

📜 License

Copyright (c) 2025 Shobha Sethuraman

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

🌍 Roadmap

  • ✅ In-place tokenization for JSON / nested PII paths
  • 🚧 KMS envelope encryption adapter
  • 🚧 Multi-product subject-level consent management
  • 🧪 Spark streaming and Kafka integration
  • 🧩 dbt / Cube.js metric store plugin

🤝 Contributing

Contributions are welcome!
See CONTRIBUTING.md for setup, testing, and PR guidelines.
If you discover a security issue, please see SECURITY.md.


🌐 Links

License

Licensed under the Apache License, Version 2.0 (Apache-2.0).

  • Copyright (c) 2025 Shobha Sethuraman
  • SPDX-License-Identifier: Apache-2.0

See the LICENSE file for the full text of the license.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

openpii_vault-0.1.0.tar.gz (27.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

openpii_vault-0.1.0-py3-none-any.whl (25.9 kB view details)

Uploaded Python 3

File details

Details for the file openpii_vault-0.1.0.tar.gz.

File metadata

  • Download URL: openpii_vault-0.1.0.tar.gz
  • Upload date:
  • Size: 27.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.12

File hashes

Hashes for openpii_vault-0.1.0.tar.gz
Algorithm Hash digest
SHA256 e91ce3bf25fc14df5ee8b02ee962dd6da77323aed82f60463d58fdcaafcf3051
MD5 60dcb4c8a0a061051fcb4abc4774379f
BLAKE2b-256 ee0db3357b8017e5eed560ced26e114a986e430886e88bde967dc36718543f36

See more details on using hashes here.

File details

Details for the file openpii_vault-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: openpii_vault-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 25.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.9.12

File hashes

Hashes for openpii_vault-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 a0eae3fef2aa1154297f949cd6b0d8ee9fb11ae0eaf9e1646d463c6ecf2833eb
MD5 f7ef52b12a18c2c2c3651587f1a37741
BLAKE2b-256 25f8dac88e6d118ca51a68a56ec2aab05d346525da1d27c9742b1a440c0c5b5e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page