Security.
OSS keeps master-key auth, managed keys, audit logs, and private deployment controls available. Enterprise adds identity, RBAC, tenants, compliance, and SSO.
Architecture
Private Deployment
Run the gateway inside your own infrastructure and storage boundary.
Auth Required
Use a master key, managed API keys, or identity sessions to protect gateway and admin access.
Compliance Roadmap
Immutable audit chains, formal reports, and certification material should be treated as roadmap work.
Authentication
Master Key
Root-level API key for initial setup and administrative access.
OIDC / SSO
Enterprise-only single sign-on via OpenID Connect providers including Okta, Azure AD, and Google Workspace.
Scoped API Keys
Granular permissions per key — restrict to specific models, endpoints, or rate limits.
RBAC
Enterprise-only role-based access control with customizable roles and permission sets.
Data Protection
PII Controls
Use configured guardrail rules for redaction-oriented handling of sensitive content.
Guardrail Pipeline
Apply configured input and output policies through gateway workflows and guardrail rules.
Audit Trails
Record request history with identity and payload metadata when audit logging is enabled.
Immutable Logs Roadmap
Tamper-evident hash chains and WORM-style retention are planned enterprise hardening items.
Compliance
SOC 2 Roadmap
Control mapping and formal compliance evidence should be handled as roadmap/procurement work.
HIPAA Roadmap
BAAs and HIPAA-specific evidence are not represented as shipped product guarantees here.
GDPR Support
Self-hosting helps control data location; deletion/export workflows still depend on deployment policy.
Data Boundary
Deploy in your chosen region or network and keep provider credentials under your operational controls.