Your sensitive data is already at risk.
57%
of employees share sensitive data with AI
40%
of files uploaded to AI contain PII or PCI
68%
use AI via personal accounts your CASB cannot see
Why the current stack cannot help
Existing security tools were not built to catch this data at the edge:
CASB / Network
Sees
Encrypted traffic to
chat.openai.com
chat.openai.com
Misses
What is inside the prompt
DLP
Sees
Files moving between apps
Misses
Prompt content typed in a browser
Endpoint Agent
Sees
Processes and system calls
Misses
What the human types into a chat window
What you get
Protection that runs where the data is.
01
Anonymization across PII, PCI, PHI, and IP
02
Works across every web-based AI tool
03
Data never leaves the endpoint for inspection
04
Triggered by policy, invisible to the user
01
Anonymization across PII, PCI, PHI, and IP
Every regulated data class, every category of business-critical information. When an employee types sensitive data into an AI tool, MagicMirror detects it and anonymizes it before it leaves the browser.
02
Works across every web-based AI tool
ChatGPT, Claude, Gemini, Copilot, Grok, Perplexity, NotebookLM, and the 500+ other AI tools we track. No vendor integrations required. No API waiting rooms. If an employee can type into it in a browser, MagicMirror can protect it.
03
Data never leaves the endpoint for inspection
Classification happens on the device, in the browser, after TLS decryption. No cloud round-trip. No third-party server inspecting your prompts. For HIPAA and EU AI Act environments, this is not a design choice. It is the control.
04
Triggered by policy, invisible to the user
When MagicMirror identifies sensitive data, based on your policy, our data protection acts in real time. The user either sees a transparent 'we anonymized this for you' receipt, or never knows an intervention happened at all. Protection without friction.
How it works
Classification on the endpoint.
Tokenization before the send.
STEP 01
Small Language Models classify every prompt, on the endpoint
Purpose-built Small Language Models run on the user's device. They classify each AI interaction in real time: what kind of data, how sensitive, what category.
STEP 02
Sensitive data is tokenized before the prompt leaves the browser
Detected data is replaced with format-preserving placeholders. A social security number becomes a structurally valid SSN; an email becomes a placeholder email. The prompt still works.
STEP 03
The AI receives usable context. The employee continues their work.
The AI tool gets a clean prompt; the employee sees a receipt of what was protected. No latency. No interruption. No data loss.
Architecture note
Powered by Small Language Models trained specifically for PII, PCI, PHI, and IP classification. No general-purpose LLMs in the critical path. Predictable latency. Predictable cost. Predictable accuracy.
Works across every AI tool your employees use.
Most data protection tools require AI vendors to cooperate. Ours does not. MagicMirror protects data in the browser, so any web-based AI tool your employees can use is covered automatically.
Your Security Stack
Identity
Okta, Microsoft Entra ID, Google Workspace
Endpoint Management
Jamf, Microsoft Intune, Kandji distribution
Browsers
Chrome, Microsoft Edge, Safari, Firefox
AI Systems
500+ AI tools, Chat & assistants, Embedded AI, Local agents & MCP
MagicMirror AI Security Platform
AI Data Protection
A strong AI program is safe and effective: visibility to see what's happening, controls to keep it secure, and measurement to prove it's working.
See it
AI Risk Monitoring
See every AI tool, account, and prompt used across your organization – both personal and enterprise logins. Real-time dashboards and proactive risk assessment by department, role, and risk level.
Control it
AI Policy Enforcement
Set rules for how AI gets used and accessed. Allow, guide, protect, or block and redirect, all on-device, in milliseconds.
Protect it
AI Data Protection (Marv)
Last-mile protection for PII, PCI, PHI, and IP. Marv detects and anonymizes sensitive data on-device, before it leaves. Specialized models for industry verticals like financial services, healthcare and legal.
Measure it
AI Insights
Measure AI productivity, proficiency, and adoption. The Insights Agent scores anonymized prompt sessions and surfaces patterns that drive ROI.
Customer proof
Data protection that regulated industries trust.
HIPAA-covered health systems, SOX-audited financial institutions, and global enterprises deploy MagicMirror to handle the data their other controls cannot see.
Customers & Partners
Frequently Asked
The compliance and architecture questions CISOs ask.
Does any prompt data leave our endpoints?
No. Classification runs on-device via Small Language Models. Anonymization happens in the browser before the prompt is sent to the AI tool. Only metadata and risk signals are sent to the MagicMirror server. The content of prompts never leaves the endpoint for inspection. This is the architectural commitment.
Can the AI still do useful work with anonymized data?
Yes. We use format-preserving anonymization: names become realistic placeholder names, numbers become valid-structured placeholder numbers, medical codes become structurally valid placeholder codes. The AI's output is just as useful; the only thing that changes is that your sensitive data is not in the prompt.
What about HIPAA, GDPR, CCPA, SOCX, and EU AI Act?
Because prompt content never leaves your environment, there is no cross-border data transfer and no third-party data processor to include in a BAA. For HIPAA, GDPR, CCPA, SOCX, and EU AI Act environments, this architecture is not incidental. It is the only viable approach. Full detail on our Trust Center.
What's the accuracy of classification?
Our purpose-built Small Language Models significantly outperform general-purpose LLMs on narrow tasks like PII, PCI, PHI, and IP detection. Classification tuning is part of the design-partner onboarding process. False-positive rates and coverage can be validated during a short pilot before full deployment.
Can we add custom data classes?
Yes. Beyond the core PII, PCI, PHI, and IP categories, you can define custom classifications for your organization. Examples: internal project code names, deal-room terminology, specific regulated data types unique to your industry. Your custom classifications run on the same on-device engine as the defaults.
What if we already have DLP?
Your DLP sees file transfers and network traffic. It does not see what an employee is typing into a chat window in a browser or the content of the files. MagicMirror sits at exactly that layer, after TLS decryption and before the prompt leaves the page. Most customers run DLP and MagicMirror together; they cover different surface areas.
Does this need Policy Enforcement to work?
Not required, but it is how most customers deploy. Policy Enforcement decides what should trigger anonymization (by data class, by role, by tool). Data Protection executes the anonymization itself. You can run Data Protection with a default policy, but pairing it with Policy Enforcement gives you granular control over when and how it intervenes.
Stop worrying about data leaks before they happen.
Get started
See Marv anonymize sensitive data in real time, on your machine, before it reaches any AI tool. No commitment.
Questions? sales@magicmirror.team
