# Compliant LLM Gateway ## ⚡*Perimeterless*. Trust. {% content-ref url="zero-trust-architecture" %} [zero-trust-architecture](https://docs.lisaiceland.com/platform+/subprocessors/zero-trust-architecture) {% endcontent-ref %}

✅ *Lower* Overhead \ ✅ *Lower* TCO \ ✅ *FULLY* Secure \ ✅ *Working* Software \ 🚫 *NO* useless features > ### 💢 TAKE ***CONTROL*** ✨ YOUR AGENTS 🔥 YOUR TERMS 🛡️ AI FOR HUMANS {% content-ref url="../../smarter-ai-learn-more/take-back-control" %} [take-back-control](https://docs.lisaiceland.com/smarter-ai-learn-more/take-back-control) {% endcontent-ref %}

{% embed url="" %} ## ⚡*Responsible* AI. We *Care*. {% content-ref url="../active-development/human-in-the-loop" %} [human-in-the-loop](https://docs.lisaiceland.com/platform+/active-development/human-in-the-loop) {% endcontent-ref %} {% content-ref url="../../smarter-ai-learn-more/ai-safety+/bias-protections" %} [bias-protections](https://docs.lisaiceland.com/smarter-ai-learn-more/ai-safety+/bias-protections) {% endcontent-ref %} {% content-ref url="../../smarter-ai-learn-more/ai-safety+/guardrails+/ai-safety-guardrails" %} [ai-safety-guardrails](https://docs.lisaiceland.com/smarter-ai-learn-more/ai-safety+/guardrails+/ai-safety-guardrails) {% endcontent-ref %} {% content-ref url="../active-development/advanced-agent-verifier" %} [advanced-agent-verifier](https://docs.lisaiceland.com/platform+/active-development/advanced-agent-verifier) {% endcontent-ref %} ## ⚡*Green* AI. *Infrastructure*. {% embed url="" %} * ***Datacenters*** * We use only "***GREEN***" hosting provider. * ***100% Private Network*** setups on ALL VPS & VDS. * ***100% Certified green energy*** * All procured electricity focuses on energy efficiency (low PUE) and we are actively working on decarbonization with goals for climate neutrality, using ***ONLY*** renewable sources like solar, wind, and hydro. * ***Real Initiatives*** * Our hosting company has received awards for their efforts and are part of initiatives like the Climate Pact of the City of Munich. * ***Worldwide*** ***Infrastructure*** * USA, EU, Europe, EMEA, Asia, N. S. & Central America * ***Powerful GREEN AI API Gateway*** * LLM Gateway * Observability * Guardrails * Governance * Prompt Management * ...and more & all in one platform * ***Our entire PaaS*** ***Command Plane*** * Is on secured & redundant scaled servers for our apps & AI API Gateway. * An app-deploying PaaS powerhouse. {% content-ref url="../../privacy+/dpa" %} [dpa](https://docs.lisaiceland.com/privacy+/dpa) {% endcontent-ref %} ## ⚡100%. *HIPAA*. Compliant. {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/hipaa" %} [hipaa](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/hipaa) {% endcontent-ref %} ## ⚡100%. *Privacy*. PLUS. {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/pci-dss" %} [pci-dss](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/pci-dss) {% endcontent-ref %} {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii" %} [soc-2-type-ii](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii) {% endcontent-ref %} {% content-ref url="../../privacy+" %} [privacy+](https://docs.lisaiceland.com/privacy+) {% endcontent-ref %} ## ⚡*Compliant*. Subprocessors. {% content-ref url="compliant-subprocessors" %} [compliant-subprocessors](https://docs.lisaiceland.com/platform+/subprocessors/compliant-subprocessors) {% endcontent-ref %} ## 🚫 LLM Safety. Data *Outbound*. ### ⚡ ...*from* YOUR 🛡️ *Secured* AI *Workspace* > ### 🚫 We *DO NOT* allow LLM providers to use your data for model training aka "***telemetry out***(bound). > ### 🚫 We *never send* your workspace data *outbound* to any 3rd-party for LLM AI model training or tuning. ### ⚡ 🚫 *NO* Prompt 🛡️ Leakage > ### 🛡️ Built-in 100% *PII* & *PHI redactions*, user *prompt injection* checks, *NO prompt leakage* (aka data "telemetry" outbound) & full AI *bias-protections* & much more. Solid implementation. ## 🔥 *Security*. Pointer. > ### 🛡️ 100% ***YOUR*** RESPONSIBILITY: You *MUST* secure your own machines: PC, Laptop, Pad, phone, any other device connected to the Internet > ### 💢 TAKE ***CONTROL*** ✨ YOUR AGENTS 🔥 YOUR TERMS 🛡️ AI FOR HUMANS ## 🔥 *Enterprise*-Grade. *LLMs*. > ### 🛡️We use *enterprise-grade LLMs* hosted on our *FULLY COMPLIANT* LLM gateway with end-to-end encryption & AI-safety built on solid privacy-1st features. ## 🔥 *ZERO* LLM Telemetry. *Outbound*. > ### 🛡️We maintain a *ZERO* *TELEMETRY OUTBOUND* policy & implementation from our AI agents platform. *NOTHING* goes out of your secured AI workspace. *NO* data sent to any 3rd-party: e.g. microsoft, openai, claude, google, aws, apple, ibm, palantir, government agencies, etc. We make sure of this in our core design, builds & all deployments. {% content-ref url="../../privacy+/llm-ai-safety" %} [llm-ai-safety](https://docs.lisaiceland.com/privacy+/llm-ai-safety) {% endcontent-ref %} ## ➡️ LLM Security. *Inbound*. ### ⚡ ...*to* YOUR *Secured* AI *Workspace* > ### ➡️ *ALL* LLM safeguards like bias-protection and other security is from the LLM itself *wrapped by our compliant LLM gateway*. > ### ➡️ *DATA INBOUND* to your secured workspace is *NOT* an issue as we want outside internet search & other info like your files connected by MCP, APIs or uploads by you, to come into your AI workspace *SAFELY* for the agents to for processing your AI workflow task items. {% content-ref url="" %} [](https://docs.lisaiceland.com/platform+/subprocessors) {% endcontent-ref %} > ### 🔥 *NO* to War 🔥 *NO* to Genocide 🔥 *NO* 3rd-Parties Supporting Genocide {% content-ref url="../no-to-war-genocide" %} [no-to-war-genocide](https://docs.lisaiceland.com/platform+/no-to-war-genocide) {% endcontent-ref %} ## ❓ Why Cloud & *NOT* Local AI Workspaces 🤔 {% embed url="" %} ## ⚡ Secure. *Scalable*. Stack. {% embed url="" %} {% embed url="" %} ## ⚡ *How.* We. *Comply*. ### 🟢 Why *Compliance* Matters * LLM gateways sit at a critical junction in your infrastructure, processing potentially sensitive data * Personal identifiable information (PII) * Protected health information (PHI) * Proprietary business data * Customer conversations and queries * With 83-85% of enterprise buyers now requiring SOC 2 compliance as a vendor prerequisite, and regulatory penalties reaching millions of dollars, compliance isn't just about avoiding fines—it's about enabling business growth and maintaining customer trust. * Modern LLM gateways must balance the need for powerful AI capabilities with stringent security requirements. This means implementing robust access controls, encryption, monitoring, and incident response capabilities while maintaining the flexibility to route between 160+ models. * We're currently in the process of getting our SOC 2 audit & compliance completed soon. ### 🟢 Data *Security*. Big 5. #### HIPAA, SOC2 Type II, GDPR, ADA, PCI DSS * Nearly ALL organizations today increasingly rely on Large Language Models (LLMs) to power their applications, the need for robust security and compliance frameworks has never been more critical * Whether you're handling sensitive customer data, processing healthcare information, or serving users in the US, Canada, European Union, EMEA or anywhere else, all LLM gateways must meet stringent regulatory requirements * Ours does it as a default feature * We've seen firsthand how compliance challenges can slow down AI adoption. * That's why we've built security and compliance features directly into our platform to route LLM traffic securely while maintaining regulatory compliance * The points below breaks down the essential security and compliance requirements for LLM gateways, focusing on 5 critical frameworks: ***SOC 2, HIPAA, GDPR, ADA & PCI DSS*** {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci" %} [hipaa-or-soc2-or-pci](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci) {% endcontent-ref %} #### 1. SOC 2: The Enterprise Standard SOC 2 (System and Organization Controls 2) has become the de facto standard for SaaS and cloud service providers. It evaluates how organizations manage customer data based on five Trust Services Criteria: * **Security** (mandatory): Protection against unauthorized access * **Availability**: System uptime and reliability * **Processing Integrity**: Accurate and complete processing * **Confidentiality**: Protection of confidential information * **Privacy**: Personal information handling For LLM gateways, SOC 2 Type 2 certification (which assesses operational effectiveness over 6-12 months) demonstrates to enterprise customers that you have mature security controls in place. This is particularly important when using enterprise features like SSO integration and user spend limits. {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii" %} [soc-2-type-ii](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/soc-2-type-ii) {% endcontent-ref %} #### 2. HIPAA: Healthcare's Gold Standard The Health Insurance Portability and Accountability Act (HIPAA) applies to any organization handling protected health information (PHI). This includes: * Healthcare providers using LLMs for patient interactions * Health tech companies processing medical data * Any LLM gateway that might receive PHI in prompts or responses * Non-compliance can result in fines up to $1.5 million per violation, making HIPAA compliance essential for healthcare applications * We are HIPAA complaint with Neon as our BaaS * You can sign a BAA with us. (sample BAA in [Privacy+](https://docs.lisaiceland.com/privacy+)) HIPAA requires three types of safeguards: * **Administrative**: Policies, training, and risk assessments * **Physical**: Facility and device security * **Technical**: Access controls, encryption, and audit logs {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/hipaa" %} [hipaa](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/hipaa) {% endcontent-ref %} #### 3. GDPR: Global Privacy Protection * The General Data Protection Regulation (GDPR) applies to any organization processing data of EU residents, regardless of where the company is located. Key requirements * Lawful basis for data processing * Strong data subject rights (access, erasure, portability) * Data minimization and purpose limitation * Breach notification within 72 hours * Privacy by design and default * With penalties up to €20 million or 4% of global turnover, GDPR compliance is crucial for any LLM gateway with international users * We are GDPR compliant & integrate it in ALL our solutions {% content-ref url="../../privacy+/my-data-request-aka-dsar" %} [my-data-request-aka-dsar](https://docs.lisaiceland.com/privacy+/my-data-request-aka-dsar) {% endcontent-ref %} #### 4. ADA: Americans with Disabilities Act * We are ADA compliant across ALL our sites & apps {% content-ref url="../../privacy+/ada" %} [ada](https://docs.lisaiceland.com/privacy+/ada) {% endcontent-ref %} #### 5. PCI DSS: Payment Card Industry Data Security Standard * We are PCI DSS compliant with Stripe {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/pci-dss" %} [pci-dss](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/pci-dss) {% endcontent-ref %} ### 🟢 Security *Compliance* #### Core Security Controls (for ALL frameworks) {% content-ref url="../../privacy+/private-network" %} [private-network](https://docs.lisaiceland.com/privacy+/private-network) {% endcontent-ref %} **Access Management** * Run 100% Private Network * Implement role-based access controls (RBAC) for all systems * Enforce multi-factor authentication (MFA) for admin access * Use API key rotation and management policies * Maintain principle of least privilege **Encryption** * Encrypt all data at rest using AES-256 or stronger * Use TLS 1.2+ for all data in transit * Implement end-to-end encryption for sensitive data flows * Manage encryption keys securely with rotation policies **Monitoring and Logging** * Deploy comprehensive audit logging for all access and changes * Implement real-time security monitoring (SIEM) * Set up anomaly detection for unusual patterns * Maintain logs for required retention periods (varies by framework) **Incident Response** * Document incident response procedures * Establish clear escalation paths * Test response plans quarterly * Maintain breach notification procedures for each framework #### SOC 2 Specific Requirements **Security (Mandatory)** * Vulnerability assessments and penetration testing (annually minimum) * Security awareness training for all employees * Vendor risk management program * Change management procedures **Availability** * Disaster recovery and business continuity plans * Uptime monitoring and SLAs * Redundancy and failover capabilities * Capacity planning and monitoring * We provide built-in failover and load balancing, ensuring high availability even when individual model providers experience outages **Processing Integrity** * Input validation for all prompts * Output validation for model responses * Error handling and logging procedures * Data quality controls **Confidentiality** * Data classification and labeling * Confidentiality agreements with employees and vendors * Access reviews (quarterly minimum) * Secure data disposal procedures **Privacy** * Privacy policy and notices * Consent management systems * Data retention and deletion policies * Privacy impact assessments #### HIPAA-Specific Requirements **Administrative Safeguards** * Designate a HIPAA Security Officer * Conduct annual risk assessments * Develop workforce training programs * Execute Business Associate Agreements (BAAs) with all vendors * Implement sanction policies for violations {% content-ref url="../../privacy+/hipaa-or-soc2-or-pci/hipaa/hipaa-officers" %} [hipaa-officers](https://docs.lisaiceland.com/privacy+/hipaa-or-soc2-or-pci/hipaa/hipaa-officers) {% endcontent-ref %} **Physical Safeguards** * Facility access controls and visitor logs * Workstation security policies * Device and media controls * Equipment disposal procedures **Technical Safeguards** * Unique user identification for each person * Automatic logoff after inactivity * Encryption of all ePHI * Audit controls tracking all PHI access * Integrity controls preventing unauthorized changes * Transmission security for all PHI in transit * When handling healthcare data, our guardrails can automatically detect and redact PHI, ensuring compliance while maintaining functionality #### GDPR Specific Requirements **Lawful Basis and Transparency** * Document lawful basis for each processing activity * Provide clear, accessible privacy notices * Maintain records of processing activities * Implement privacy by design principles **Data Subject Rights** * Access request procedures (respond within 30 days) * Rectification capabilities * Erasure mechanisms ("right to be forgotten") * Data portability in machine-readable format * Objection and restriction procedures **Data Protection** * Data minimization practices * Purpose limitation controls * Storage limitation policies * Accuracy maintenance procedures **Accountability** * Data Protection Impact Assessments (DPIAs) * Data Processing Agreements with all processors * Breach notification procedures (72-hour deadline) * DPO appointment (if required) ### 🟢 *Implementation* Strategy #### *Phase 1*: Assessment and Scoping * [x] **Identify Applicable Frameworks** - Successfully implementing these compliance frameworks requires a strategic approach - Determine which regulations apply based on your data types and geography - Consider customer requirements and contractual obligations - Plan for future expansion and requirements * [x] **Define Scope** - Map all systems processing sensitive data - Identify data flows through your LLM gateway - Document all third-party integrations and vendors * [x] **Gap Analysis** - Compare current controls against requirements - Prioritize high-risk gaps - Estimate resources needed for remediation #### *Phase 2*: Control Implementation * [x] **Technical Controls** - Deploy encryption for data at rest and in transit - Implement access controls and MFA - Set up monitoring and logging infrastructure - Auto-configured security features including guardrails * [x] **Administrative Controls** - Develop required policies and procedures - Create training programs - Establish incident response procedures - Execute necessary agreements (BAAs, DPAs) * [x] **Physical Controls** - Secure facility access - Implement device controls - Establish media handling procedures #### *Phase 3*: Automation and Optimization * [x] **Automate up to 75%** of compliance tasks * [x] **Automated evidence** collection * [x] **Continuous control** monitoring * [x] **Policy template** libraries * [x] Integrated risk assessments * [x] **Automated audit** preparation * [x] **Built-in** compliance tools #### *Phase 4*: Audit and Certification (Ongoing) * [x] **Internal Audits** - Conduct quarterly self-assessments - Test incident response procedures - Review and update policies - Monitor control effectiveness * [x] **External Audits** - Select qualified auditors - Prepare evidence packages - Remediate findings promptly - Maintain continuous compliance ### 🟢 *Leveraging* Tech #### Automated Compliance Monitoring * Modern LLM gateways need sophisticated tools to maintain compliance while delivering high performance * Real-time control monitoring * Automated evidence collection * Compliance dashboards and reporting * Integration with existing security tools * Our platform provides comprehensive logging and monitoring across all API calls, making audit trails automatic and compliance reporting straightforward #### Smart Data Handling * Automatic PII/PHI detection and redaction * Dynamic data classification * Consent management integration * Automated retention and deletion * Our guardrails feature can automatically detect and handle sensitive data #### Intelligent Routing for Compliance * Route sensitive data to compliant models only * Implement geographic restrictions * Enforce data residency requirements * Apply model-specific security policies * With our smart routing, routing is handled automatically based on compliance requirements, ensuring healthcare data only goes to HIPAA-compliant models or EU data stays within GDPR-compliant infrastructure ### 🟢 *Non*-Compliance *Cost* #### **Financial Impact** * Understanding the risks helps justify compliance investments * HIPAA fines: Up to $1.5 million per violation * GDPR penalties: Up to €20 million or 4% of global turnover * Increased insurance premiums: Up to 58% higher for non-compliant organizations * Lost business: 83% of enterprise RFPs require SOC 2 #### **Operational Impact** * Breach remediation costs averaging $4.45 million * Business disruption during investigations * Increased audit and legal costs * Resource diversion from growth initiatives #### **Reputational Impact** * Customer churn increases by 7% post-breach * Negative media coverage * Loss of competitive advantage * Difficulty attracting top talent ### 🟢 Compliance *Practices* #### **Regular Reviews** * Compliance isn't a one-time achievement—it requires ongoing attention * Quarterly control assessments * Annual risk assessments * Policy updates as regulations change * Vendor compliance reviews #### **Employee Training** * Initial security awareness training * Annual refreshers * Role-specific training * Incident response drills #### **Technology Updates** * Security patch management * Regular vulnerability scanning * Encryption algorithm updates * Access control reviews #### **Documentation** * Maintain current policies * Document all changes * Keep audit trails complete * Update risk registers #### **Vendor Management** * Regular vendor assessments * Updated agreements * Compliance attestations * Incident notification procedures ### 🟢 Compliant *LLM* Routing #### **Assess Your Requirements** * Implementing comprehensive compliance across SOC 2, HIPAA, and GDPR can seem overwhelming, but the right approach and tools make it manageable * Identify which frameworks apply to your use case * Understand your data types and flows * Define your compliance timeline #### **Choose the Right Platform** * Select an LLM gateway with built-in compliance features * Ensure the platform supports your required frameworks * Verify the vendor's own compliance certifications #### **Implement Controls Systematically** * Start with high-risk areas * Use automation where possible * Document everything * Test regularly #### **Monitor and Improve** * Set up continuous monitoring * Regular internal assessments * Stay updated on regulatory changes * Learn from incidents and near-misses * We simplify this journey by providing a unified LLM gateway with enterprise-grade security features, comprehensive audit logging, and built-in guardrails * Our platform helps you maintain compliance while accessing 160+ models ## ⚡ *Security*. *Compliance*. > ### Security and compliance for LLM gateways isn't just about checking boxes—*it's about building trust with your users* and enabling sustainable growth. * The convergence of SOC 2, HIPAA, and GDPR requirements around core security controls means that a unified approach to compliance is both possible and efficient. * With the right tools and processes, we maintain continuous compliance while focusing on delivering value through AI.