Compliance & Security

AI governance that
satisfies your auditor

Full air-gap deployment. PII redaction before any LLM call. Complete audit trail in ClickHouse. Your data never leaves your infrastructure. Not our promise — your infrastructure's guarantee.

The compliance barrier

Most AI gateways fail regulatory requirements before evaluation starts.

Cloud gateways disqualified

HIPAA, GDPR, classified requirements eliminate every SaaS AI gateway. Cloudflare, Portkey, AWS AgentCore — all out.

PII in LLM calls

Patient SSNs, credit card numbers, and emails flowing to external LLM providers. One leak is a regulatory event.

Incomplete audit trail

Compliance asks for every AI interaction in Q1. You have partial logs in 3 different systems.

How gatez solves it

Compliance-first architecture from day one.

1

Full air-gap deployment

Every service runs from container images. Zero internet dependency. Ollama for local LLMs. No external API calls. Your data never leaves your network.

2

PII redaction

SSN, email, credit card, phone, IP detected and redacted BEFORE any LLM call. Log only pii_detected=true. Never the actual content.

3

ClickHouse audit trail

Every request, token, tool call logged. 365-day retention for audit logs. CSV export. Per-tenant isolation. No cross-tenant data leakage.

4

Cross-layer traces

One trace from HTTP request to LLM call to agent tool call. OTel + Jaeger. Full visibility into every interaction. No gaps.

5

Multi-tenant isolation

tenant_id on every call, log, cache key. Redis keyspace isolation. ClickHouse row-level filtering. No cross-tenant visibility.

6

Compliance-ready

HIPAA-ready patterns. GDPR data residency. ISO 42001 compatible architecture. Self-host on your infrastructure, your rules.

Real-world example

How DDS deploys gatez on a classified network.

Department of Digital Services — Air-gapped deployment

DDS deploys gatez on a classified network. Zero internet access whatsoever.

  • All LLM routing to local Ollama instances (Mistral 7B, Llama 3) — no external API keys needed
  • Container images pre-loaded on classified network (no docker pull)
  • 3 tenants: Citizen Services (5k req/s), Analytics (2k req/s), Intel (500 req/s, highest restrictions)

Intel tenant has additional restrictions:

  • All requests double-logged (ClickHouse + separate syslog for classified audit)
  • No semantic caching (each request goes to LLM fresh — no cached responses for classified queries)
  • 1-hour session maximum for agent sessions
  • Every tool call requires HITL approval (no auto-approve)

Why this is possible

Kong Konnect: Best features are SaaS-only — eliminated
AWS AgentCore: Cloud-only — eliminated
Portkey: SaaS-primary — eliminated
Cloudflare AI Gateway: SaaS-only — eliminated
gatez: Everything runs from container images with zero internet dependency. ClickHouse, Redis, Keycloak, Prometheus, Grafana — all self-hosted. LLMs via local Ollama. Full audit trail. Full multi-tenancy.

Deploy AI that passes audit

Full air-gap support. PII redaction. Complete audit trail. HIPAA, GDPR, ISO 42001 ready.

Deploy in 5 Minutes Contact Sales

Free forever. Apache 2.0 license. No credit card required.