All Systems Operational

Enterprise AI Security & Trust Center

Security is the core of our product, not an afterthought.

At AI Security Gateway (AISG), we understand that your data is your most valuable asset. Our architecture is built on the principle of Stateless Sovereignty: we provide the gateway to AI without ever compromising the privacy of the underlying data.

Last Security Review: July 2026|Next Scheduled: September 2026

Verify It Yourself

We’re a security product. Don’t take our word for it — check the evidence.

External scan grades: ImmuniWeb A · SecurityHeaders A — independently verifiable by anyone.

01

Architectural Security

Our infrastructure follows a "Defense-in-Depth" strategy — multiple independent security layers, each assuming the others may fail.

Stateless by Design — Zero Conversation Storage

Our architecture is stateless — each request is processed independently with no shared state between requests. Prompt data exists only in volatile memory for the duration of a single request and is discarded immediately after. There is no session persistence, disk storage, or cross-request data leakage. This is why we intentionally do not proxy stateful APIs like the OpenAI Assistants API (/v1/threads) — server-side conversation storage places your data outside your security boundary. For stateful agentic workflows, manage conversation state in your own infrastructure and pair with Hybrid VPC deployment so prompts never leave your network.

AWS VPC — Private Network Architecture

Our backend services run inside an AWS Virtual Private Cloud (VPC) with isolated private subnets — no service has a public IP or direct internet exposure. All external traffic is routed through an edge security layer with Web Application Firewall (WAF) rules, rate limiting, and bot protection before reaching any backend service within the VPC.

Zero-Persistence Processing

Prompts and AI responses are processed entirely in volatile memory (RAM) and are never written to disk or object storage. Once inference is complete, the data is purged from memory. There is no log, database, or file that contains your prompt content.

Edge Protection & DDoS Mitigation

All traffic is routed through a global edge network with automatic DDoS mitigation, IP-based rate limiting (per-IP throttling), managed rulesets for SQL injection, cross-site scripting (XSS), and known exploit signatures.

02

Data Handling & Privacy

We believe you shouldn't have to trust us with your data — our architecture makes it unnecessary.

Metadata-Only Logging

We log the "Who, When, and How Much" — never the "What." Our databases store token counts, latency metrics, and violation types (e.g., "PII detected"), but we never store the content of your prompts or completions. EU AI Act compliance records contain only SHA-256 fingerprints (one-way hashes) of inputs/outputs — not the content itself.

LOGGED{"user_id": "u_8f3a", "model": "oah/llama-3-70b", "tokens": 142, "violation": "EMAIL_ADDRESS", "latency_ms": 312}
NOT LOGGED{"prompt": "My email is john@acme.com and...", "response": "Here is your welcome email..."}

Encryption Everywhere

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Internal service-to-service communication is also encrypted. There are no plaintext data paths.

No-Training Guarantee

We do not use your data to train any models. We partner only with AI providers who offer contractual data privacy guarantees for API users — your prompts are never used for model improvement by any party in the chain.

Automated Log Scrubbing

All application logs pass through a real-time scrubbing layer that detects and redacts API keys, bearer tokens, and credential patterns before they reach any log storage or monitoring system.

03

Identity & Key Management

We protect your credentials with the same rigor as a financial institution protects account numbers.

BYOK Key Encryption

Your "Bring Your Own Key" (BYOK) provider credentials are encrypted using AES-256 authenticated encryption before storage. The encryption key is stored separately in a hardware-backed key management service — even a database breach cannot expose your keys.

Hardware-Backed Secret Management

All system-level secrets — encryption keys, internal tokens, provider credentials — are stored in a dedicated, hardware-backed secrets management service with automatic rotation support. Secrets are never stored in code, config files, or environment variable logs.

One-Way API Key Hashing

Your API keys are stored as irreversible cryptographic hashes with a server-side pepper. Even in the event of a complete database breach, raw API keys cannot be recovered or reused. Keys are shown once at creation and never again.

Session-Based Playground Security

Internal playground credentials never leave the server. The browser sends only your prompt — the API key is resolved server-side using your authenticated session and verified via a cryptographic handshake between our frontend and backend services.

04

The AI Firewall

Every prompt passes through our governance engine before reaching any LLM provider.

Multimodal OCR Scanning

We are one of the few platforms that provides OCR-based scanning for images, preventing PII leaks hidden in screenshots, config files, or document uploads.

30+ Entity Recognition

Our engine scans for PII, secrets, and credentials across 30+ categories — including names, SSNs, credit cards, email addresses, IP addresses, API keys, and cloud credentials.

Custom IP Guard

Enterprises can define custom detection patterns (regex rules) to protect internal project names, code names, intellectual property, and proprietary terminology from being sent to any LLM provider.

Prompt Injection Defense

We proactively detect and block known prompt injection patterns — including jailbreak attempts, instruction override payloads, and role-escape sequences — before they reach the model.

MCP Gateway — Tool-Plane Security (Beta)

For agentic workloads, the same firewall extends to the Model Context Protocol. The MCP Gateway scans tool descriptions for poisoning at catalog time, redacts or blocks PII in tool arguments (outbound) and results (inbound), and enforces per-org tool allow/deny lists — in our cloud or entirely inside your VPC, where downstream credentials never leave your network.

Fail-Closed Architecture

If the AI Firewall is unavailable or returns an error, the request is immediately terminated. We never forward un-scanned data to any LLM provider. Security takes priority over availability. The MCP Gateway applies the same principle — a downstream server whose credential is missing is never called.

05

Responsible Disclosure

We take security seriously and welcome the help of the security community.

Continuous Security Scanning

We perform automated vulnerability scanning of all container images and dependencies on every build, with critical findings blocking deployment.

Security Contact

If you believe you have found a security vulnerability in our platform, please contact us at security@aisecuritygateway.ai. We aim to acknowledge reports within 24 hours and prioritize fixes based on severity.

Critical

24–48 hours

High

5 business days

Medium / Low

Next release

Vulnerability Scope

In Scope

  • API endpoints (api.aisecuritygateway.ai)
  • Authentication & token handling
  • DLP / PII redaction bypass
  • BYOK key exposure or decryption flaws
  • Authorization & privilege escalation
  • Data leakage in logs or responses

Out of Scope

  • Rate limiting or DoS / DDoS attacks
  • Social engineering or phishing
  • Missing security headers on marketing pages
  • Third-party service vulnerabilities
  • Reports from automated scanners without proof of impact

06

Hybrid VPC Deployment

For organizations where prompts must never leave the corporate network.

Hybrid VPC mode deploys a compiled Go proxy inside your infrastructure. All prompt content is processed locally — DLP scanning, PII redaction, and budget enforcement happen on-prem. Only metadata (token counts, latency, entity types) reaches the cloud dashboard for analytics.

Prompt Data Sovereignty

Prompts are processed and forwarded within your network. The cloud control plane never sees request or response content.

Compiled Go Binary

The proxy ships as a statically-linked Go binary in a scratch Docker image — no shell, no OS packages, no attack surface.

Local DLP Engine

All proprietary PII detection runs inside the proxy. Sub-50ms latency. No external calls for sensitive data scanning.

Metadata-Only Telemetry

The sync agent pushes only structural metadata (cost, latency, entity counts) to the cloud. Content fields are rejected server-side.

Learn about Enterprise / Hybrid VPC

07

Enterprise Authentication (SAML SSO)

Federated identity with zero third-party SaaS dependency — SAML Jackson runs in your infrastructure.

Self-Hosted BoxyHQ SAML Jackson

SAML Jackson runs as a self-hosted container in your infrastructure — no third-party SaaS dependency for authentication. Your IdP metadata and SAML assertions never leave your network.

Per-Org IdP Configuration

Each organization configures its own Identity Provider — Okta, Azure AD, Google Workspace, or any SAML 2.0 compliant IdP. Multi-tenant architecture supports unlimited IdP connections.

Auto-Provisioning with Default Roles

New users authenticated via SSO are automatically provisioned into the organization with a configurable default role (owner, admin, member, or viewer).

Optional SSO Enforcement

Organization owners can enforce SSO-only authentication — disabling password and OAuth login for all org members. Ensures every login is verified through the corporate Identity Provider.

Session Management via NextAuth

Sessions are managed via NextAuth with JWT tokens. Session duration, token rotation, and idle timeouts are configurable per organization.

No IdP Data in Our Cloud

SAML Jackson runs alongside your proxy. No IdP metadata, SAML assertions, or authentication tokens are stored in or transmitted to our cloud infrastructure.

08

SIEM Integration

Real-time security event streaming to your enterprise SIEM — outbound HTTPS only, no inbound ports required.

Real-Time Security Event Streaming

Security events are streamed in real time to your enterprise SIEM platform as they occur — PII violations, prompt injection attempts, and budget alerts arrive within seconds.

Splunk HEC, Datadog Logs, Microsoft Sentinel

Native format adapters for three major SIEM platforms. Events are formatted per-platform (Splunk HEC JSON, Datadog Logs API, Microsoft Sentinel CEF) — no custom parsing required.

Auth Tokens in Secrets Manager

SIEM authentication tokens (HEC tokens, API keys) are stored in AWS Secrets Manager — never in DynamoDB or application configuration. Tokens are resolved at runtime and never logged.

5 Security Event Types

Five event categories are forwarded: PII blocked, prompt injection blocked, PII redacted, budget exhausted, and recursive loop detected. Each event includes full context — project, model, entity types, and timestamps.

Per-Platform Severity Mapping

Event severity is mapped per platform conventions — critical, high, and medium levels — ensuring proper alert prioritization in your existing SOC workflows and dashboards.

Outbound HTTPS Only

SIEM integration requires no inbound ports or firewall changes. Events are pushed outbound over HTTPS to your SIEM endpoint. The proxy initiates all connections.

09

Technology Architecture

What we built, what we use, and why. Full transparency for enterprise due diligence.

We deliberately build on auditable, open-source foundations where appropriate — and build proprietary systems where differentiated engineering creates real value. Every security platform uses open-source components (Cloudflare uses BoringSSL, Palo Alto uses Snort signatures, CrowdStrike uses YARA rules). What matters is what you build on top of them.

OSOpen-Source Foundation

We use Microsoft Presidio as the base NLP/regex entity recognition engine for standard PII types (names, emails, phone numbers). This is intentional: Presidio is auditable, well-tested, and trusted by enterprises. It provides the same role that OpenSSL provides to web servers — a proven cryptographic primitive, not the product itself.

  • Microsoft Presidio — base NLP entity recognition
  • SpaCy — NLP language model for contextual analysis
  • LiteLLM — provider API format translation layer
  • FastAPI / Uvicorn — HTTP framework and ASGI server

IPProprietary Systems (Our IP)

Everything above the base entity recognition — the governance, orchestration, and enforcement layers — is proprietary. This is where the differentiated engineering lives.

  • Policy Evaluation Engine — per-project versioned DLP policies with sensitivity tiers, custom entity selection, and enforcement logic
  • Custom Detection Signatures — 15+ extended recognizers beyond Presidio defaults (API keys for OpenAI/Anthropic/Google/Groq/AWS, prompt injection patterns, IP-Guard rules)
  • Vision OCR DLP — in-memory image text extraction and PII scanning for screenshots and documents before vision models process them
  • Smart Router & Model Registry — real-time cost-optimized routing across 300+ models from 8+ providers with automatic failover and circuit breaking
  • Budget Enforcement — atomic wallet deductions with pre-flight cost estimation, hard 402 stops, and per-project token quotas
  • Prompt Injection Defense — 5-category heuristic detection (jailbreaks, DAN variants, SYSTEM OVERRIDE impersonation, instruction overrides, encoding exploits)
  • Recursive Loop Protection — fingerprint-based detection that auto-kills agent retry loops after configurable thresholds, preventing credit drain from runaway automations
  • Webhook Security Alerts — HMAC-SHA256 signed real-time notifications to Slack, PagerDuty, or any HTTPS endpoint when PII is blocked, injections are caught, budgets are hit, or loops are detected
  • EU AI Act Compliance Logging — hash-chained, tamper-evident audit records with SHA-256 input/output fingerprints (no prompt content stored — privacy by design). Append-only, minimum 10-year retention, JSONL export. Ready for Article 12 enforcement (August 2026)
  • Governance Orchestration — fail-closed architecture, multi-project team management, metadata audit logging, and analytics dashboards

The analogy: Presidio is to AI Security Gateway what PostgreSQL is to Stripe, or what Linux is to AWS. Nobody says “Stripe is just a Postgres wrapper” because the value is in the payment logic, fraud detection, and compliance infrastructure built on top. Similarly, our value is in the policy engine, vision DLP, smart routing, budget enforcement, and governance orchestration — not in the underlying NLP library that every DLP product uses.

View Source on GitHub

10

Compliance Roadmap

Our path to enterprise-grade certifications.

CertificationStatus
SOC 2 Type IPlanned H2 2026
SOC 2 Type IIPlanned 2027
EU AI Act Article 12 LoggingShipped
Designed for GDPR ComplianceArchitecturally Aligned
CCPA ComplianceArchitecturally Aligned
HIPAAPlanned H2 2026
Penetration TestingPlanned H2 2026

“Architecturally Aligned” means our design follows the standard’s requirements but formal audits have not yet been completed. “Planned” items are on our roadmap but auditor engagement has not begun.

Independent Privacy Assessment: A+

ImmuniWeb’s automated Website Privacy Test awarded aisecuritygateway.ai an A+ rating — their highest grade. The test evaluates tracking cookies, third-party content, XHR requests, tracking pixels, web form privacy, and data scraping protections.

Verify the result on ImmuniWeb
Follow for Security Updates

11

Telemetry & Observability

Privacy-first analytics — no session replay, no keystroke logging, ever.

Google Analytics — Public Marketing Pages Only

We utilize Google Analytics exclusively on our public marketing domain (aisecuritygateway.ai) to analyze referral sources and site performance. Google Analytics is not used within our authenticated dashboard or API proxy.

PostHog — Anonymized Product Telemetry

Within the application (app.aisecuritygateway.ai), we utilize product telemetry via PostHog limited to high-level operational events (e.g., “Project Created”, “Wallet Top-up”). We do not transmit AI prompts, responses, or sensitive customer data to any analytics provider.

Crisp — Live Support Chat

Crisp provides real-time support chat on dashboard pages only. It is not loaded on the landing page or public marketing pages. Crisp does not have access to your prompt content, API keys, or billing data.

Cookie Consent

Analytics scripts (both Google Analytics and PostHog) are loaded only after explicit user consent via our cookie banner. Essential cookies (authentication, billing) are always active as required for the service to function.

Our commitment: We have configured our analytics systems to disable session recording, keystroke capture, and detailed user interaction tracking. We do not transmit AI prompts, responses, or sensitive customer data to any analytics provider. This is a core architectural principle, not a configuration option.

Security FAQ

Common questions from security teams and enterprise architects.

Do you store my prompts or AI responses?

No. Prompts and completions are processed entirely in volatile memory (RAM) and discarded immediately after the request is fulfilled. We persist only metadata — token counts, latency, and violation types — never content.

What happens if your DLP engine fails?

Our architecture is "Fail-Closed." If the AI Firewall is unavailable or returns an error, the request is terminated with a 500 error. We never forward un-scanned data to the LLM provider.

Can your team see my prompts?

No. Prompts exist only in ephemeral container memory during processing. There is no log, database, or storage that contains prompt content. Even our engineering team has no mechanism to access your data in transit.

How are my BYOK API keys protected?

Your provider API keys are encrypted with AES-256 authenticated encryption before storage. The encryption key is stored in a separate hardware-backed secrets manager. Even if our database were fully compromised, your keys remain unreadable.

Do AI providers train on my data?

The providers we support do not use API data for model training. We partner only with providers who offer contractual data privacy guarantees. We encourage you to review each provider's data processing agreement.

How do you protect against DDoS and abuse?

All traffic passes through an edge security layer with per-IP rate limiting, managed WAF rulesets (SQL injection, XSS, known exploits), and automatic DDoS mitigation. Additionally, per-API-key rate limiting (default 10 RPS per key) is enforced at the application layer as an anti-abuse measure. This is a per-key throttle, not a system-wide capacity constraint — the platform scales horizontally via auto-scaling containers. Enterprise plans support higher per-key limits.

What happens if someone steals an API key from my logs?

API keys are stored as irreversible cryptographic hashes with a server-side pepper, so leaked hashes are useless. If a raw key is compromised, you can instantly revoke it from the dashboard — revocation takes effect on the very next request.

How do you handle internal credentials (like the Playground)?

Internal credentials are resolved entirely server-side and are never sent to or visible in the browser. The Playground UI uses your authenticated session to issue requests — no API key is ever exposed to the client.

Do you use session replay or keystroke logging?

No. We have configured our analytics systems to disable session recording, keystroke capture, and detailed user interaction tracking. We use Google Analytics exclusively on our public marketing site (aisecuritygateway.ai) for referral and performance analysis. Within the application (app.aisecuritygateway.ai), we use PostHog limited to high-level operational events. We do not transmit AI prompts, responses, or sensitive customer data to any analytics provider.