Technology | Karlsgate

Our solution starts with our free, self-sovereign de-identification. From there, it scales into privacy-preserving workflows that protect data without limiting its use.

At the foundation is our self-sovereign de-identification process, which we call a Cryptonym, created using two simple command lines in our KIE Node. It transforms sensitive identifiers into protected values—a standard that keeps you in control.

To make that protected data usable, we built the Karlsgate Identity Exchange (KIE), a no-code user portal with powerful tools for secure data collaboration and integration:

KIE Collaboration enables privacy-preserving matching and data joins across partners.

KIE Integration powers downstream workflows, connecting analytics tools, systems, and services without reintroducing risk.

Here’s how it works and why it changes everything...

Self-Sovereign De-Identification That Puts You in Control

Most de-identification often comes with tradeoffs such as rigid processes, disconnected data, or limited collaboration.

Karlsgate’s Cryptonym changes that. It allows you to generate de-identified values locally, using your own keys, in your own environment. These local cryptonyms are never shared and never leave your control.

Your sensitive data stays protected while your Cryptonyms remain usable for secure, privacy-preserving linkage.

This isn’t just another pseudonymization technique. It’s a self-sovereign, privacy-enhancing transformation that turns sensitive data into Protected Data by:

supporting individual and composite identifiers

preventing cross-dataset linkage attacks by storing only in a localized keyspace (each location scrambles stored identifiers differently unlike standard hashing)

enabling collaboration without reintroducing identifiable data or requiring your partner to de-identify on their side.

Want to try it yourself?

Create your own Cryptonyms using the KIE Node

Get hands-on with self-sovereign de-identification—free, open, and secure.

What kinds of identifiers are supported?

Karlsgate’s Cryptonym process works with any type of identifier: email addresses, households, phone numbers, loyalty IDs, device IDs, composite keys. There are 66 built-in identifier tags and custom tags to handle anything you want.

What’s the difference between a Cryptonym and a hash?

A hash is deterministic scrambled code. Given the same input, a hash will always return the same output. That makes it vulnerable to reverse engineering and linkage attacks. A Cryptonym, by contrast, is generated using a secure, local key and is never reused or shared. It keeps your keys completely unique and prevents re-identification by any third party.

How does Karlsgate’s approach to Cryptonym creation deliver maximum match quality?

Karlsgate’s approach delivers high-fidelity, research-grade matching by automatically generating composite match keys—smart combinations of multiple attributes designed for precision.

Unlike common token-based systems that rely on limited or broad match keys that are often optimized for marketing use cases, Karlsgate’s method prioritizes accuracy and consistency across systems and organizations. The result: more precise matches, fewer false positives, and higher trust in the results.

Each Cryptonym is locally generated and use-case specific, supporting deterministic linkage without persistent identifiers or re-identification risk.

Why do other de-ID methods limit collaboration?

Most de-identification solutions rely on shared keys, central servers, or static pseudonyms, forcing all data partners to transform data the same way. If even one partner deviates, linkage fails. Karlsgate solves this by enabling secure, local transformation that’s still fully matchable through Karlsgate’s KIE Collaboration protocols.

Can I re-identify if needed?

Yes. Karlsgate enables controlled re-identification through secure matching. This occurs by matching Cryptonym-based files back to the original identifiable data using Karlsgate’s KIE Collaboration tool. This process never reverses the transformation or exposes sensitive data.

Collaborate on Data Without Ever Sharing Identifying Information

With KIE Collaboration, you can securely match and compare data across partners without sharing personal identifiers, hashes, or pseudonyms. Cryptonyms remain within your environment and are never transmitted.

Matching is automated and secure. Data assets are catalogued not uploaded, either by AI-powered auto-detection or by explicit tagging. KIE handles:

File format detection

Field recognition and semantics

Normalization and standardization

Composite match key creation

KIE identifies shared keys, flags gaps, and guides both parties through cascade matches without exposing source data.

Want to see it in action?

Run a partner match without sharing any identifying data

Try our Self-Guided KIE Collaboration POC.

Can I collaborate with a partner who isn’t already using Karlsgate?

Yes. Only one party needs a paid KIE subscription. The partner can create a free Karlsgate account and deploy a node or provide access via SFTP or permissioned cloud bucket.

Can I link data with partners who use different formats or identifiers?

Yes. Karlsgate Collaboration is built to handle real-world variability. Our platform automatically detects formats, recognizes field semantics, and standardizes data. It identifies available match keys, flags mismatches, and recommends a matching cascade. As long as you and your partner have at least one overlapping identifier, KIE will detect common match keys and guide you through building a secure matching cascade. You never need to synchronize your formats—the protocol translates to and from your native formats.

Will my partner ever see my sensitive data?

No. Identifiers and Cryptonyms are never shared or exposed. Matching occurs within a triple-blind, streaming protocol without revealing any source data. Even Karlsgate never gains access to your data at any point in the workflow. Zero-trust methodology means never needing to depend on anyone else to protect your data.

What happens to the match results?

KIE Collaboration gives you control over what each partner receives for every transaction. Options include:

No data shared (overlap metrics only)

Flagging matched records

Sharing non-identifiable attributes

Creating anonymized matched files for analysis

Send or Receive Data Without Ever Exposing Data Subjects’ Identities

KIE Integration lets you or your partners push or pull selected data across environments without exchanging clear text, persistent pseudonyms, or secret keys.

Each trade begins with a listing in the KIE portal that represents a catalogued file in your environment. From there, you simply choose the identifiers and attributes to include in the trade. The KIE node replaces identifiers with transitional Cryptonyms (single-use values) and encrypts the remaining attributes.

The data packets are sent to the recipient's node, where identifiers are rewrapped using their own local key. The encrypted attributes are decrypted using a negotiated shared secret. No raw identifiers, persistent keys, or re-identifiable tokens ever cross systems.

This ensures:

No raw or reusable pseudonyms are transmitted

No local keys are exposed or shared during transit

No common identifiers are stored across environments

KIE Integration provides zero-exposure delivery without sacrificing control.

Want to try a secure trade?

Push or pull a data file with full control and no exposure.

Can I use Integration even if I’m not using KIE Collaboration?

Yes. KIE Integration delivers protected data between environments, independent of matching steps.

Are identifiers ever exposed during a push or pull?

No. Identifiers are replaced with transitional Cryptonyms and rewrapped with local encryption. No clear text or persistent pseudonyms ever leave your environment.

What encryption is used?

Karlsgate supports industry-standard, FIPS-compliant encryption methods, including post-quantum options. Some of the various user selectable options include: ECDH, X25519, ML-KEM, SHA-3, KMAC256, AES-256-GCM, ChaCha20Poly1305. The plug-in architecture ensures that the protection keeps up with evolving threats.

What prevents re-identification if there’s a breach?

No identifiable data is present in transit. All identifiers are salted and wrapped using single-use transit encryption. No secret keys are ever shared, so all transmitted data stays secure.

Our Approach

At the core of our solutions lies a groundbreaking concept: Partitioned Knowledge Orchestration, a form of Secure Multi-Party Computation (SMPC) technologies. This approach intentionally fragments complete information that could potentially lead to identification or re-identification of shared information. Achieved through meticulous orchestration of a cryptographic transaction involving at least three independent actors, the result is a zero-trust mechanism to share insights between parties with no data engineering effort beyond a one-time set up. 

Karlsgate Identity Exchange (KIE™) combines privacy-enhancing technology (PET) and our secure data transmission automation technology to make a robust data connectivity solution that meets the challenges of the modern privacy environment. The cryptography used is not a black box or obscure algorithm. In fact, the cryptographic algorithms are configurable per trade simply by selecting among the listed FIPS 140-2 compliant hashing and encryption algorithms, including post-quantum cryptography options such as ML-KEM. 

This approach results in a no-code, automatable solution where sharing insights never requires loss of control of data. 

For more detailed insights into our Partitioned Knowledge Orchestration technology and how it exceeds alternatives on the basis of retained control and scalability, check out our whitepaper. 

The Pressure Test for Privacy-First Platforms

Will They Burst Under the Weight of Real-World Complexity?

Not All “Privacy-First” Solutions Are Built the Same

If Your Data Collaboration Still Relies On Shared Infrastructure, It’s Time To Ask Harder Questions

The Protected Data Age Is Here. Are Your Operations Ready?

How to Build Safer, Smarter, Faster Data Operations

How long does it take to process a trade?

It depends on the size of the files and the number of match passes and attributes appended. In general, 1 million records can be processed in 11 seconds (simple match pass) whilst 100 million records with 10 match passes and 600+ attributes appended would be processed in less than 18 hours.

Does Karlsgate do fuzzy matching?

We define fuzzy matching as loose matching rules based on probabilities. Our matching is fully deterministic—you will always have clarity over a match versus a non-match. To ensure that all potential matches are found, our software performs “soft matching,” or matching on equivalent alternatives, for examples “1 MAIN ST. APT. 2” = “1 Main Street #2”. Soft matching does not need direct access to PII to work and automatically rectifies differences in standardization, whitespace, punctuation, abbreviations, and phonetically similar words.

How does Karlsgate optimize matching to ensure high-quality match rates?

While the ultimate matching is deterministic due to the nature of the cryptoidentities being matched, Karlsgate’s node software performs robust data normalization and standardization processes to align identifying data elements prior to creating the cryptoidentities, which boosts match rates without over-matching.

How many match passes can I use?

For a single trade, you can have up to 10 different match passes, cascading down.

Is the protection resistant to both classical and quantum computing attacks?

Yes, FIPS-compliant cryptographic algorithms are available for each exchange that range from traditional Elliptic-curve Diffie–Hellman key exchange (e.g., X25519) to post-quantum cryptography Module-lattice key encapsulation (e.g., ML-KEM-1024).

Technology That Respects the Complexity
and Potential of Data