Platform / Security

Enterprise-grade security at every layer of the stack.

RBAC, SSO/SCIM, PII firewall, immutable audit logs, and air-gapped deployment — all built into the same binary as the gateway. No additional security services to deploy or maintain.

RBAC & SSO/SCIM

Role-based access control with admin, team lead, and user tiers. SAML 2.0 and OIDC SSO for centralised identity. SCIM provisioning automates user onboarding and deprovisioning from your identity provider.

  • Fine-grained permissions: manage providers, view audit, set budgets
  • SAML 2.0 and OIDC — compatible with Okta, Azure AD, Google Workspace
  • SCIM provisioning for automated lifecycle management

RBAC & SSO/SCIM — capability summary

01 Fine-grained permissions: manage providers, view audit, set budgets
02 SAML 2.0 and OIDC — compatible with Okta, Azure AD, Google Workspace
03 SCIM provisioning for automated lifecycle management

PII Firewall & Guardrails

Every request passes through a PII detection layer before reaching any provider. Names, email addresses, phone numbers, SSNs, and credit card numbers are redacted automatically. Guardrail rules can block, warn, or silently audit based on content category.

  • PII detection runs locally — sensitive fields never leave your network unredacted
  • Configurable redaction per team: some teams may require full block, others audit-only
  • Guardrail rule library includes off-the-shelf and custom classifier support

PII Firewall & Guardrails — capability summary

01 PII detection runs locally — sensitive fields never leave your network unredacted
02 Configurable redaction per team: some teams may require full block, others audit-only
03 Guardrail rule library includes off-the-shelf and custom classifier support

Audit Log

Every request and response is recorded with provider, model, latency, token counts, cost, applied policy decisions, and team identity. Audit records are append-only and cannot be modified after write. Export to Postgres, S3, or stdout in structured JSON.

  • Immutable append-only records — no post-write modification possible
  • Structured JSON export compatible with SIEM tools and compliance dashboards
  • Configurable retention period from 30 days to indefinite

Audit Log — capability summary

01 Immutable append-only records — no post-write modification possible
02 Structured JSON export compatible with SIEM tools and compliance dashboards
03 Configurable retention period from 30 days to indefinite

Air-Gap & Data Residency

ManyLayers supports fully air-gapped deployments where no outbound connections leave your network perimeter after initial installation. License file activation works offline. For regulated industries, all compute, storage, and logging stays within your designated region or data centre.

  • No telemetry, no usage reporting, no callbacks to external services
  • License activation via offline file — no internet required after install
  • Data residency configurable per deployment region or data centre

Air-Gap & Data Residency — capability summary

01 No telemetry, no usage reporting, no callbacks to external services
02 License activation via offline file — no internet required after install
03 Data residency configurable per deployment region or data centre
Control matrix

Security controls across all deployment modes.

Security Control SaaS Cloud Self-Hosted Air-Gapped Notes
RBAC Admin/lead/user tiers
SSO (SAML/OIDC) Okta, Azure AD, Google WS
SCIM provisioning Automated lifecycle
PII firewall Local detection, no egress
Guardrails Block / warn / audit
Audit log Immutable, exportable
Air-gap mode Offline license activation
Data residency Region-locked Your DC Your DC No external egress

Discuss your security and compliance requirements.