Question
Design a PII-tokenization and data-masking service that lets a large org store and process sensitive data (SSNs, card numbers, emails) without raw PII spreading across hundreds of downstream systems. Applications exchange real values for tokens at the boundary; only authorized services can detokenize. It must handle 100k tokenize/detokenize ops/sec at p99 under 25ms, preserve format (a tokenized card must still pass a Luhn-shaped check for legacy systems), and shrink PCI/PII compliance scope. Cover the token vault, the detokenization access model, and the security/operability trade-off.
Clarify scale and constraints first. Propose a clean component breakdown, then go deep on the hard parts — data model, bottlenecks, consistency, failure modes — and name the trade-offs you are making.