Trust & Security

Security at ManyLayers

Last updated: July 12, 2026

Encryption in Transit

All traffic between clients and ManyLayers endpoints is encrypted using TLS 1.2 or higher. For SaaS deployments, TLS certificates are managed automatically with short rotation cycles. For self-hosted and hybrid deployments, we provide configuration documentation for bring-your-own certificate setups, mutual TLS (mTLS) enforcement, and internal service mesh integration (Istio, Linkerd). Unencrypted HTTP endpoints are disabled by default and cannot be enabled without an explicit operator override.

Encryption at Rest

Managed SaaS data at rest is encrypted using AES-256. This includes stored vector embeddings, audit log archives, secrets vault contents, and database snapshots. For self-hosted deployments, encryption at rest is managed by your storage provider (cloud disk encryption, LUKS, or hardware security modules) — ManyLayers integrates with your existing key management infrastructure and does not require access to your encryption keys.

Access Control — RBAC and SSO

ManyLayers enforces role-based access control (RBAC) at every layer: organization, team, project, and API-key scope. Roles are defined with least-privilege defaults and can be customized per deployment. Permission changes are captured in the audit log immediately.

Enterprise and Team tiers support SAML 2.0 and OIDC single sign-on (SSO) with major identity providers including Okta, Azure Active Directory, Google Workspace, and Ping Identity. SCIM directory provisioning enables automated user lifecycle management. Multi-factor authentication (MFA) is enforced for all administrator accounts.

Audit Logging

Every request passing through the ManyLayers Gateway generates an immutable audit log entry capturing the timestamp, team identity, model route taken, token counts, guardrail decisions, and any policy enforcement actions. Logs are cryptographically tamper-evident and cannot be deleted or modified by platform users. Enterprise customers can stream audit logs in real time to their SIEM (Splunk, Datadog, Elastic) or export to an S3-compatible object store. Log retention is configurable from 30 days to indefinite.

Data Residency via Self-Hosting

For organizations with strict data-residency requirements — regulated industries, government, or air-gapped environments — ManyLayers' self-hosted deployment mode guarantees zero data egress. The platform runs entirely on your infrastructure, including Kubernetes clusters in your own data centers or private cloud. After initial license file activation, the system operates with no outbound internet connectivity required. All audit logs, vector stores, and model weights remain within your security perimeter.

Compliance Certifications

ManyLayers' managed SaaS platform is SOC 2 Type II certified. Our architecture and controls are designed to support customer HIPAA compliance obligations (Business Associate Agreements available on Enterprise plans). We publish a shared responsibility model and security documentation at docs.manylayers.io/security to assist with your own compliance programs.

Vulnerability Management

We conduct continuous dependency scanning, static analysis, and periodic third-party penetration tests. Critical security patches for the self-hosted platform are released as priority advisories and communicated to license holders via email and our security advisory channel.

Responsible Disclosure

We take security reports seriously and aim to respond to all disclosures within 72 hours. To report a vulnerability, email us at security@manylayers.io. Please include a description of the issue, steps to reproduce, and your assessment of impact. We ask that you give us reasonable time to investigate and remediate before public disclosure. We do not pursue legal action against researchers who disclose in good faith under this policy.

Security contact

security@manylayers.io

Questions about our security posture?