Enterprise Features - Contact SalesThis documentation covers enterprise-grade deployment options. Enterprise features including custom deployments, dedicated infrastructure, and advanced compliance controls are available by contacting our sales team at [email protected] or [email protected].Current self-service plans: Free, Starter, and Growth. For enterprise solutions, please reach out for a customized quote.
This guide covers enterprise-grade deployment of PromptGuard with advanced security, compliance, and scalability requirements for large organizations.
Enterprise Architecture
High-Availability Deployment
Copy
# docker-compose.enterprise.yml
version: '3.8'
services:
promptguard-lb:
image: nginx:alpine
ports:
- "443:443"
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
- ./ssl:/etc/ssl/certs
depends_on:
- promptguard-api-1
- promptguard-api-2
- promptguard-api-3
promptguard-api-1:
image: promptguard/api:enterprise
environment:
- REDIS_CLUSTER_NODES=redis-1:6379,redis-2:6379,redis-3:6379
- DATABASE_URL=postgresql://user:pass@postgres-primary:5432/promptguard
- ENABLE_AUDIT_LOGGING=true
- COMPLIANCE_MODE=strict
deploy:
resources:
limits:
memory: 2G
cpus: '1.0'
promptguard-api-2:
image: promptguard/api:enterprise
environment:
- REDIS_CLUSTER_NODES=redis-1:6379,redis-2:6379,redis-3:6379
- DATABASE_URL=postgresql://user:pass@postgres-primary:5432/promptguard
- ENABLE_AUDIT_LOGGING=true
- COMPLIANCE_MODE=strict
promptguard-api-3:
image: promptguard/api:enterprise
environment:
- REDIS_CLUSTER_NODES=redis-1:6379,redis-2:6379,redis-3:6379
- DATABASE_URL=postgresql://user:pass@postgres-primary:5432/promptguard
- ENABLE_AUDIT_LOGGING=true
- COMPLIANCE_MODE=strict
postgres-primary:
image: postgres:15-alpine
environment:
POSTGRES_DB: promptguard
POSTGRES_USER: promptguard_user
POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
volumes:
- postgres_data:/var/lib/postgresql/data
- ./postgres-primary.conf:/etc/postgresql/postgresql.conf
secrets:
- postgres_password
redis-1:
image: redis:7-alpine
command: redis-server --cluster-enabled yes --cluster-config-file nodes.conf
volumes:
- redis_1_data:/data
redis-2:
image: redis:7-alpine
command: redis-server --cluster-enabled yes --cluster-config-file nodes.conf
volumes:
- redis_2_data:/data
redis-3:
image: redis:7-alpine
command: redis-server --cluster-enabled yes --cluster-config-file nodes.conf
volumes:
- redis_3_data:/data
volumes:
postgres_data:
redis_1_data:
redis_2_data:
redis_3_data:
secrets:
postgres_password:
file: ./secrets/postgres_password.txt
Load Balancer Configuration
Copy
# nginx.conf
upstream promptguard_backend {
least_conn;
server promptguard-api-1:8080 max_fails=3 fail_timeout=30s;
server promptguard-api-2:8080 max_fails=3 fail_timeout=30s;
server promptguard-api-3:8080 max_fails=3 fail_timeout=30s;
}
server {
listen 443 ssl http2;
server_name api.yourcompany.com;
ssl_certificate /etc/ssl/certs/promptguard.crt;
ssl_certificate_key /etc/ssl/certs/promptguard.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;
# Security headers
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options DENY;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://promptguard_backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Timeouts
proxy_connect_timeout 5s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# Rate limiting
limit_req zone=api burst=100 nodelay;
}
location /health {
access_log off;
proxy_pass http://promptguard_backend/health;
}
}
# Rate limiting
http {
limit_req_zone $binary_remote_addr zone=api:10m rate=1000r/m;
}
Security Hardening
Network Security
Copy
# kubernetes-network-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: promptguard-network-policy
namespace: promptguard
spec:
podSelector:
matchLabels:
app: promptguard
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: nginx-ingress
ports:
- protocol: TCP
port: 8080
egress:
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
- to:
- podSelector:
matchLabels:
app: redis
ports:
- protocol: TCP
port: 6379
- to: []
ports:
- protocol: TCP
port: 443 # HTTPS to LLM providers
Secret Management
Copy
# Using HashiCorp Vault
vault kv put secret/promptguard/api \
openai_api_key="sk-..." \
anthropic_api_key="sk-ant-..." \
database_password="..." \
jwt_secret="..." \
encryption_key="..."
# Kubernetes secret from Vault
kubectl create secret generic promptguard-secrets \
--from-literal=openai-api-key="$(vault kv get -field=openai_api_key secret/promptguard/api)" \
--from-literal=anthropic-api-key="$(vault kv get -field=anthropic_api_key secret/promptguard/api)" \
--from-literal=database-password="$(vault kv get -field=database_password secret/promptguard/api)"
RBAC Configuration
Copy
# promptguard-rbac.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: promptguard
name: promptguard-operator
rules:
- apiGroups: [""]
resources: ["pods", "services", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets"]
verbs: ["get", "list", "watch", "create", "update", "patch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: promptguard-operator-binding
namespace: promptguard
subjects:
- kind: ServiceAccount
name: promptguard-service-account
namespace: promptguard
roleRef:
kind: Role
name: promptguard-operator
apiGroup: rbac.authorization.k8s.io
Compliance Configuration
SOC 2 Compliance
Copy
# Enterprise configuration for SOC 2 compliance
ENTERPRISE_CONFIG = {
"audit_logging": {
"enabled": True,
"log_level": "detailed",
"retention_days": 2555, # 7 years
"encryption": "AES-256",
"immutable_storage": True
},
"access_controls": {
"mfa_required": True,
"session_timeout": 1800, # 30 minutes
"password_policy": {
"min_length": 12,
"require_symbols": True,
"require_numbers": True,
"require_uppercase": True,
"prevent_reuse": 24
}
},
"data_protection": {
"encryption_at_rest": True,
"encryption_in_transit": True,
"key_rotation_days": 90,
"pii_detection": "strict",
"data_residency": "us-east-1"
},
"monitoring": {
"real_time_alerts": True,
"anomaly_detection": True,
"compliance_reporting": True,
"incident_response": "automated"
}
}
GDPR Configuration
Copy
# GDPR-compliant data handling
GDPR_CONFIG = {
"data_minimization": {
"collect_only_necessary": True,
"automatic_expiration": True,
"purpose_limitation": True
},
"user_rights": {
"right_to_access": True,
"right_to_rectification": True,
"right_to_erasure": True,
"right_to_portability": True,
"right_to_object": True
},
"lawful_basis": {
"consent_management": True,
"legitimate_interest": True,
"contract_performance": True,
"legal_obligation": True
},
"data_protection": {
"privacy_by_design": True,
"privacy_by_default": True,
"impact_assessments": True,
"breach_notification": "72_hours"
}
}
HIPAA Configuration
Copy
# HIPAA-compliant healthcare setup
HIPAA_CONFIG = {
"administrative_safeguards": {
"security_officer": True,
"workforce_training": True,
"access_management": "role_based",
"audit_controls": "comprehensive"
},
"physical_safeguards": {
"facility_access": "controlled",
"workstation_use": "restricted",
"device_controls": "encrypted"
},
"technical_safeguards": {
"access_control": "unique_user_identification",
"audit_controls": "automatic_logoff",
"integrity": "electronic_signature",
"transmission_security": "end_to_end_encryption"
},
"phi_protection": {
"minimum_necessary": True,
"de_identification": "safe_harbor",
"breach_notification": "immediate",
"business_associate": "compliant"
}
}
Monitoring and Observability
Enterprise Monitoring Stack
Copy
# prometheus-config.yml
global:
scrape_interval: 15s
evaluation_interval: 15s
rule_files:
- "promptguard-alerts.yml"
scrape_configs:
- job_name: 'promptguard-api'
static_configs:
- targets: ['promptguard-api-1:8080', 'promptguard-api-2:8080', 'promptguard-api-3:8080']
metrics_path: /metrics
scrape_interval: 5s
- job_name: 'postgres'
static_configs:
- targets: ['postgres-primary:9187']
- job_name: 'redis'
static_configs:
- targets: ['redis-1:9121', 'redis-2:9121', 'redis-3:9121']
alerting:
alertmanagers:
- static_configs:
- targets:
- alertmanager:9093
Custom Alerting Rules
Copy
# promptguard-alerts.yml
groups:
- name: promptguard-critical
rules:
- alert: HighErrorRate
expr: rate(promptguard_requests_total{status=~"5.."}[5m]) > 0.05
for: 2m
labels:
severity: critical
annotations:
summary: "High error rate detected"
description: "Error rate is {{ $value }} for {{ $labels.instance }}"
- alert: SecurityThreatDetected
expr: increase(promptguard_threats_blocked_total[1m]) > 10
for: 0m
labels:
severity: critical
annotations:
summary: "Multiple security threats detected"
description: "{{ $value }} threats blocked in the last minute"
- alert: ComplianceViolation
expr: promptguard_compliance_violations_total > 0
for: 0m
labels:
severity: critical
annotations:
summary: "Compliance violation detected"
description: "{{ $value }} compliance violations detected"
- name: promptguard-performance
rules:
- alert: HighLatency
expr: histogram_quantile(0.95, rate(promptguard_request_duration_seconds_bucket[5m])) > 0.1
for: 5m
labels:
severity: warning
annotations:
summary: "High latency detected"
description: "95th percentile latency is {{ $value }}s"
- alert: DatabaseConnectionsHigh
expr: postgres_connections_active / postgres_connections_max > 0.8
for: 5m
labels:
severity: warning
annotations:
summary: "Database connections high"
description: "{{ $value }}% of database connections are active"
Grafana Dashboards
Copy
{
"dashboard": {
"title": "PromptGuard Enterprise Dashboard",
"panels": [
{
"title": "Request Rate",
"type": "graph",
"targets": [
{
"expr": "rate(promptguard_requests_total[5m])",
"legendFormat": "{{instance}}"
}
]
},
{
"title": "Security Events",
"type": "stat",
"targets": [
{
"expr": "sum(increase(promptguard_threats_blocked_total[1h]))",
"legendFormat": "Threats Blocked"
}
]
},
{
"title": "Compliance Status",
"type": "table",
"targets": [
{
"expr": "promptguard_compliance_status",
"format": "table"
}
]
},
{
"title": "Error Rate by Service",
"type": "heatmap",
"targets": [
{
"expr": "rate(promptguard_requests_total{status=~\"5..\"}[5m]) by (service)",
"legendFormat": "{{service}}"
}
]
}
]
}
}
Disaster Recovery
Backup Strategy
Copy
#!/bin/bash
# enterprise-backup.sh
# Database backup with encryption
pg_dump --host=postgres-primary --port=5432 --username=promptguard_user \
--no-password --verbose --clean --no-owner --no-privileges \
--format=custom promptguard | \
gpg --cipher-algo AES256 --compress-algo 1 --symmetric \
--output "/backups/promptguard-$(date +%Y%m%d-%H%M%S).sql.gpg"
# Redis backup
redis-cli --rdb /backups/redis-$(date +%Y%m%d-%H%M%S).rdb
# Configuration backup
tar -czf "/backups/config-$(date +%Y%m%d-%H%M%S).tar.gz" \
/etc/promptguard/ /etc/nginx/ /etc/ssl/
# Upload to S3 with versioning
aws s3 cp /backups/ s3://promptguard-backups/$(date +%Y/%m/%d)/ \
--recursive --storage-class GLACIER_IR
# Cleanup local backups older than 7 days
find /backups -name "*.gpg" -mtime +7 -delete
find /backups -name "*.rdb" -mtime +7 -delete
find /backups -name "*.tar.gz" -mtime +7 -delete
Disaster Recovery Runbook
Copy
# disaster-recovery.yml
recovery_procedures:
complete_outage:
rto: "1 hour" # Recovery Time Objective
rpo: "15 minutes" # Recovery Point Objective
steps:
1. "Activate backup datacenter"
2. "Restore database from latest backup"
3. "Update DNS to point to backup infrastructure"
4. "Verify all services are operational"
5. "Notify stakeholders of recovery completion"
database_failure:
rto: "30 minutes"
rpo: "5 minutes"
steps:
1. "Promote read replica to primary"
2. "Update application configuration"
3. "Restart application services"
4. "Verify data integrity"
security_incident:
rto: "immediate"
rpo: "0 minutes"
steps:
1. "Isolate affected systems"
2. "Rotate all API keys and secrets"
3. "Review audit logs for compromise"
4. "Notify security team and customers"
5. "Implement additional security measures"
Performance Optimization
Enterprise Performance Tuning
Copy
# enterprise-config.py
PERFORMANCE_CONFIG = {
"connection_pooling": {
"database_pool_size": 50,
"database_max_overflow": 100,
"redis_pool_size": 20,
"connection_timeout": 30
},
"caching": {
"policy_cache_ttl": 3600, # 1 hour
"user_cache_ttl": 1800, # 30 minutes
"rate_limit_cache_ttl": 60, # 1 minute
"cache_compression": True
},
"async_processing": {
"worker_processes": 4,
"max_concurrent_requests": 1000,
"request_timeout": 30,
"batch_processing": True
},
"optimization": {
"enable_http2": True,
"gzip_compression": True,
"static_asset_caching": True,
"database_query_optimization": True
}
}
Auto-scaling Configuration
Copy
# kubernetes-hpa.yml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
name: promptguard-hpa
namespace: promptguard
spec:
scaleTargetRef:
apiVersion: apps/v1
kind: Deployment
name: promptguard-api
minReplicas: 3
maxReplicas: 20
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 70
- type: Resource
resource:
name: memory
target:
type: Utilization
averageUtilization: 80
- type: Pods
pods:
metric:
name: requests_per_second
target:
type: AverageValue
averageValue: "100"
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Percent
value: 10
periodSeconds: 60
scaleUp:
stabilizationWindowSeconds: 60
policies:
- type: Percent
value: 50
periodSeconds: 60
Integration Examples
Enterprise SSO Integration
Copy
# enterprise-auth.py
from saml2 import BINDING_HTTP_POST, BINDING_HTTP_REDIRECT
from saml2.config import Config as Saml2Config
SAML_CONFIG = {
'entityid': 'https://api.yourcompany.com/saml/metadata',
'service': {
'sp': {
'endpoints': {
'assertion_consumer_service': [
('https://api.yourcompany.com/saml/acs', BINDING_HTTP_POST),
],
'single_logout_service': [
('https://api.yourcompany.com/saml/sls', BINDING_HTTP_REDIRECT),
],
},
'name_id_format': 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent',
'required_attributes': ['email', 'firstName', 'lastName', 'department'],
'optional_attributes': ['phone', 'title', 'manager'],
},
},
'metadata': {
'remote': [
{
'url': 'https://yourcompany.okta.com/app/metadata',
'cert': '/path/to/okta-cert.pem',
},
],
},
'key_file': '/path/to/private-key.pem',
'cert_file': '/path/to/certificate.pem',
}
# Role-based access control mapping
ROLE_MAPPING = {
'promptguard-admin': ['admin', 'security_admin'],
'promptguard-analyst': ['analyst', 'security_analyst'],
'promptguard-user': ['user'],
'promptguard-viewer': ['viewer', 'read_only'],
}
Enterprise API Gateway Integration
Copy
# kong-configuration.yml
_format_version: "3.0"
services:
- name: promptguard-api
url: http://promptguard-backend:8080
plugins:
- name: rate-limiting-advanced
config:
limit:
- 1000
window_size:
- 60
identifier: consumer
sync_rate: 10
strategy: cluster
- name: oauth2
config:
enable_client_credentials: true
scopes:
- read
- write
- admin
token_expiration: 3600
- name: prometheus
config:
per_consumer: true
status_code_metrics: true
latency_metrics: true
bandwidth_metrics: true
routes:
- name: promptguard-v1
service: promptguard-api
paths:
- /v1
plugins:
- name: request-size-limiting
config:
allowed_payload_size: 1024
- name: response-transformer
config:
add:
headers:
- "X-API-Version: v1"
- "X-Enterprise-Mode: enabled"
consumers:
- username: enterprise-client
custom_id: ent-001
oauth2_credentials:
- name: enterprise-app
client_id: enterprise-12345
client_secret: secret-67890
Cost Optimization
Resource Planning
Copy
# cost-optimization.py
COST_OPTIMIZATION_CONFIG = {
"resource_allocation": {
"development": {
"cpu_limit": "0.5",
"memory_limit": "1Gi",
"replicas": 1
},
"staging": {
"cpu_limit": "1.0",
"memory_limit": "2Gi",
"replicas": 2
},
"production": {
"cpu_limit": "2.0",
"memory_limit": "4Gi",
"replicas": 3,
"auto_scaling": True
}
},
"cost_controls": {
"spot_instances": True,
"scheduled_scaling": {
"business_hours": "8-18",
"weekend_scaling": "0.5x"
},
"reserved_capacity": "80%",
"cost_alerts": {
"monthly_budget": 10000,
"alert_threshold": 0.8
}
}
}
Usage Analytics Dashboard
Copy
# enterprise-analytics.py
class EnterpriseAnalytics:
def generate_cost_report(self, period="monthly"):
"""Generate detailed cost breakdown report."""
return {
"infrastructure_costs": {
"compute": self.get_compute_costs(period),
"storage": self.get_storage_costs(period),
"networking": self.get_network_costs(period)
},
"llm_provider_costs": {
"openai": self.get_openai_costs(period),
"anthropic": self.get_anthropic_costs(period)
},
"security_events": {
"threats_blocked": self.get_threats_blocked(period),
"cost_savings": self.calculate_security_savings(period)
},
"recommendations": self.get_optimization_recommendations()
}
def get_optimization_recommendations(self):
"""Provide cost optimization recommendations."""
return [
"Consider increasing cache TTL for policy rules",
"Scale down development environments during off-hours",
"Use batch processing for non-critical requests",
"Implement request deduplication to reduce LLM costs"
]
Best Practices Summary
Security Best Practices
Security Best Practices
- Zero Trust Architecture: Verify every request and user
- Defense in Depth: Multiple security layers and controls
- Least Privilege: Minimal necessary access permissions
- Regular Audits: Automated compliance and security scanning
- Incident Response: Documented procedures and automation
Performance Best Practices
Performance Best Practices
- Horizontal Scaling: Auto-scaling based on metrics
- Connection Pooling: Efficient database and cache connections
- Caching Strategy: Multi-layer caching for optimal performance
- Resource Limits: CPU and memory constraints for stability
- Load Testing: Regular performance validation under load
Operational Best Practices
Operational Best Practices
- Infrastructure as Code: Version-controlled deployments
- Blue-Green Deployments: Zero-downtime releases
- Comprehensive Monitoring: Real-time metrics and alerting
- Automated Backups: Regular, tested backup procedures
- Documentation: Maintained runbooks and procedures
Compliance Best Practices
Compliance Best Practices
- Data Classification: Understand and protect sensitive data
- Audit Trails: Comprehensive logging and immutable records
- Regular Assessments: Scheduled compliance reviews
- Privacy by Design: Built-in privacy protections
- Vendor Management: Ensure third-party compliance
Support and Migration
Enterprise Support Channels
- 24/7 Support: Critical issue response within 1 hour
- Dedicated CSM: Assigned Customer Success Manager
- Architecture Review: Quarterly infrastructure assessments
- Training Programs: Enterprise security and operations training
- Migration Assistance: White-glove migration from existing solutions
Professional Services
- Custom Integration: Tailored integration with existing systems
- Security Assessment: Comprehensive security posture evaluation
- Performance Tuning: Optimization for enterprise workloads
- Compliance Consulting: Industry-specific compliance guidance
- Disaster Recovery Planning: Business continuity strategy development
Enterprise Portal
Access enterprise dashboard and management tools
Professional Services
Get white-glove setup and migration assistance
Security Center
Configure advanced security policies and monitoring
Compliance Hub
Manage regulatory compliance and audit requirements