Self-Hosted · Open Deployment

Stop AI data leaks
before they leave
your perimeter.

BitDrip intercepts everything your team sends to ChatGPT, Claude, Gemini and other LLMs — blocking PII, credentials, PHI and proprietary data in real time. Runs entirely in your infrastructure. No cloud. No trust required.

⇓ Download v1.0.0 View Docs →
SHA-256: a3f8c2d1e9b4720f3c8a5d6e1b2f9c4d  · 142 MB
Designed to support compliance with GDPR HIPAA PCI DSS SOC 2 ISO 27001 CCPA
YOUR DATA STAYS YOURS.
< 5 min
Average deploy time
6
Compliance frameworks
15+
Detection categories
99.9%
Uptime SLA
Why BitDrip

Built for enterprise security teams

Three capabilities that make BitDrip the right choice for organisations that take data privacy seriously.

🛡
Real-time Protection

Intercepts every prompt sent to ChatGPT, Claude, Gemini and other LLMs. Detects and blocks PII, PHI, payment card data, API keys, passwords, and proprietary content before it leaves your network.

🔒
Zero Cloud Dependency

Runs entirely in your infrastructure via a single Docker Compose file. No data ever touches an external server. Your team's AI usage stays inside your perimeter — always.

📋
Compliance & Audit

Built-in profiles for GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001 and CCPA. Every policy evaluation is cryptographically signed and immutably logged for auditors and regulators.

Security-first architecture

Built against industry standards. Every control is implemented in code and documented.

A01
Broken Access Control
JWT RBAC with 4 roles. Org-scoped data isolation on every query.
A02
Cryptographic Failures
AES-256 at rest, TLS 1.3 in transit, ed25519 license signing.
A03
Injection
TypeORM parameterized queries. Zod input validation. XSS sanitization.
A04
Insecure Design
Privacy-by-design. AI content never stored — SHA-256 hashes only.
A05
Security Misconfiguration
Helmet.js (HSTS, CSP, X-Frame-Options). CORS allowlisting. No default credentials.
A06
Vulnerable Components
0 npm audit vulnerabilities. Dependabot enabled. npm ci in all builds.
A07
Auth Failures
JWT expiry enforced. bcrypt + per-user salt. Keycloak MFA available.
A08
Integrity Failures
SHA-256 installer checksums. ed25519-signed license JWTs. Pinned lock files.
A09
Logging Failures
Immutable audit log, 90-day retention, structured JSON, SIEM-ready.
A10
SSRF
No external URL fetching from user content. Outbound connections allowlisted.

Zero Trust Data Flow

AI content is never stored. SHA-256 hashing means violations are auditable without retaining sensitive data.

Cryptographic Verification

Every installer bundle is SHA-256 signed. License JWTs use ed25519 — the same algorithm that secures SSH keys.

Self-Hosted by Design

Your data never leaves your infrastructure. No phone-home analytics, no cloud dependency for policy decisions.

Designed to support compliance with GDPR HIPAA PCI DSS SOC 2 ISO 27001 CCPA

Controls are implemented in code and documented. Read the security documentation →

Getting Started

From zero to protected in minutes

Register once, deploy anywhere. No cloud accounts, no agents to manage.

1
Register
Create your account and choose a plan. Receive your signed license file by email.
2
Download
Download the installer bundle. Verify the SHA-256 checksum. Extract and review.
3
Deploy
Run ./install.sh then docker compose up -d. Live in under 5 minutes.
4
Protect
Configure policies in the dashboard. Point your team's AI tools at the gateway. Done.
1
Install & Launch
Prerequisites: Docker 24+ (or Podman 4+) and Docker Compose.
# Linux / macOS curl -fsSL https://bitdrip.app/install | bash # Windows (PowerShell as Administrator) irm https://bitdrip.app/install.ps1 | iex
  1. Place your license.jwt in the same directory as the extracted bundle.
  2. Run the installer: ./install.sh — it generates a secure .env file.
  3. Start all services: docker compose up -d
  4. Verify: docker compose ps — all five containers should show healthy.
2
Log In to the Dashboard
Open http://<your-server>:3000 in a browser.
  1. Sign in with the admin credentials set during installation (see .envADMIN_EMAIL / ADMIN_PASSWORD).
  2. You land on the Dashboard overview: system health, recent policy events, compliance posture.
  3. Navigate via the left sidebar: Policies, Users, Compliance, Analytics, Audit Logs, Settings.
# Default local URL http://localhost:3000
3
Configure Privacy Policies
Go to Policies in the sidebar.
  1. Select a compliance profile (GDPR, HIPAA, PCI DSS, SOC 2, ISO 27001, CCPA) to load baseline rules automatically.
  2. Review each rule — it shows the data category (PII, PHI, credentials) and action: Block, Warn, or Log.
  3. Toggle rules on/off or change their action without restarting services.
  4. Add custom rules for organisation-specific patterns: project names, internal IDs, proprietary formats.
  5. Set the risk Block threshold (default 0.8) and Warn threshold (default 0.5) in Settings → Risk.
4
Route AI Traffic Through the Gateway
The API Gateway runs on port 3002 and proxies requests to any AI service.
# Set in your AI client or environment OPENAI_BASE_URL=http://<server>:3002/openai ANTHROPIC_BASE_URL=http://<server>:3002/anthropic
  1. Browser extension: install from the bundle, point it at http://<server>:3002.
  2. SDK integration: set the base URL environment variable above in your application.
  3. Proxy mode: forward api.openai.com traffic to <server>:3002 via firewall or proxy.
  4. Test: prompts containing PII should return 403 Blocked.
5
Invite Your Team
Go to Users in the sidebar.
  1. Click Invite User — enter their email, choose a role: Admin, Analyst, or Viewer.
  2. They receive an email with a one-time setup link.
  3. For SSO, go to Settings → Identity and connect Keycloak to LDAP, Active Directory, or your SAML provider.
  4. Assign users to groups and apply group-level policy overrides.
6
Review Audit Logs & Reports
Go to Audit Logs in the sidebar.
  1. Every policy evaluation is cryptographically signed — tamper-evident by design.
  2. Filter by user, date range, action (blocked / warned / allowed), or data category.
  3. Go to Compliance to run a framework report mapping violations to specific GDPR articles, HIPAA safeguards, PCI requirements.
  4. Export reports as PDF or CSV for auditors from the Compliance page.
# Live log stream from the terminal docker compose logs -f policy-engine
Tips & Troubleshooting
Service won't start? Check that license.jwt is in the install directory and the current date is within the license window. Run docker compose logs policy-engine for the exact error.
Everything is being blocked? Lower the block threshold in Settings → Risk, or switch policies to Warn mode first to observe traffic before enforcing blocks.
Policy evaluation is slow? Redis is the caching layer — confirm it's healthy with docker compose ps redis. Scale the policy engine with docker compose up --scale policy-engine=2.
Lost admin password? Reset via: docker compose exec policy-engine node dist/scripts/reset-password.js admin@example.com NewP@ssw0rd!
Upgrading BitDrip? Pull the new bundle, run ./install.sh again (preserves .env), then docker compose pull && docker compose up -d.
Need help? Email support@anchorcybersecurity.com or open a ticket at GitHub Issues.
Ready to stop the leaks?
Register free, download the installer and have BitDrip running in your environment today. Community tier covers up to 10 users with full policy enforcement and audit logging.
Linux x86_64 Linux arm64 macOS Windows (WSL2) Docker Podman
Latest: v1.0.0 ·  Released: 2026-05-19 ·  SHA-256: a3f8c2d1e9b4720f3c8a5d6e1b2f9c4d7a8e3b1f6c2d9e4a7b8f1c3d6e9a2b5
⇓ Download v1.0.0 Register Free →