Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt

Use this file to discover all available pages before exploring further.

PromptGuard Enterprise provides multi-tenancy, SSO, role-based access control, persistent audit logs, IP allowlisting, and custom billing — all built-in. No separate deployment needed.For custom Enterprise plans, contact us at enterprise@promptguard.co.

Enterprise Features Overview

What’s Included

FeatureDescription
OrganizationsTeam workspaces with role-based membership
RBACOwner, Admin, Member, Viewer roles with granular permissions
SSO (OIDC)Single sign-on via Okta, Azure AD, Google Workspace, or any OIDC provider
Persistent Audit LogsSOC 2-ready audit trail with integrity hash chain
GDPR ComplianceData export and deletion endpoints
IP AllowlistingRestrict API access to specific IP ranges
Webhook SigningHMAC-SHA256 signatures for webhook verification
Custom RetentionConfigure log retention per organization
Custom Rate LimitsPer-organization rate limit overrides
Idempotency KeysSafe API retries via Idempotency-Key header

Getting Started

1. Create Your Organization

curl -X POST https://api.promptguard.co/dashboard/organizations/ \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corp",
    "slug": "acme-corp"
  }'

2. Invite Team Members

curl -X POST https://api.promptguard.co/dashboard/organizations/{org_id}/invitations \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "X-Organization-Id: {org_id}" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "colleague@acme.com",
    "role": "member"
  }'

3. Set Organization Context

All dashboard API calls accept the X-Organization-Id header to scope operations to your organization: 
curl https://api.promptguard.co/dashboard/projects/ \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "X-Organization-Id: YOUR_ORG_ID"

RBAC (Role-Based Access Control)

Role Hierarchy

RolePermissions
OwnerFull control: delete org, transfer ownership, manage billing
AdminManage members, billing, org settings, invite members
MemberCreate/edit projects, manage API keys, configure policies
ViewerRead-only: view projects, analytics, interactions

Enforcing Roles

Roles are enforced server-side. No client-side bypasses possible: 
# Backend example - endpoint requires admin role
@router.delete("/{org_id}/members/{user_id}")
async def remove_member(
    org_id: UUID,
    user_id: UUID,
    current_user = Depends(get_current_user),
    org = Depends(require_org_role("admin")),
):
    ...

Enterprise Architecture

High-Availability Deployment

# docker-compose.enterprise.yml
version: '3.8'
services:
  promptguard-lb:
    image: nginx:alpine
    ports:
      - "443:443"
      - "80:80"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf
      - ./ssl:/etc/ssl/certs
    depends_on:
      - promptguard-api-1
      - promptguard-api-2
      - promptguard-api-3

  promptguard-api-1:
    image: promptguard/api:enterprise
    environment:
      - REDIS_CLUSTER_NODES=redis-1:6379,redis-2:6379,redis-3:6379
      - DATABASE_URL=postgresql://user:pass@postgres-primary:5432/promptguard
      - ENABLE_AUDIT_LOGGING=true
      - COMPLIANCE_MODE=strict
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: '1.0'

  promptguard-api-2:
    image: promptguard/api:enterprise
    environment:
      - REDIS_CLUSTER_NODES=redis-1:6379,redis-2:6379,redis-3:6379
      - DATABASE_URL=postgresql://user:pass@postgres-primary:5432/promptguard
      - ENABLE_AUDIT_LOGGING=true
      - COMPLIANCE_MODE=strict

  promptguard-api-3:
    image: promptguard/api:enterprise
    environment:
      - REDIS_CLUSTER_NODES=redis-1:6379,redis-2:6379,redis-3:6379
      - DATABASE_URL=postgresql://user:pass@postgres-primary:5432/promptguard
      - ENABLE_AUDIT_LOGGING=true
      - COMPLIANCE_MODE=strict

  postgres-primary:
    image: postgres:15-alpine
    environment:
      POSTGRES_DB: promptguard
      POSTGRES_USER: promptguard_user
      POSTGRES_PASSWORD_FILE: /run/secrets/postgres_password
    volumes:
      - postgres_data:/var/lib/postgresql/data
      - ./postgres-primary.conf:/etc/postgresql/postgresql.conf
    secrets:
      - postgres_password

  redis-1:
    image: redis:7-alpine
    command: redis-server --cluster-enabled yes --cluster-config-file nodes.conf
    volumes:
      - redis_1_data:/data

  redis-2:
    image: redis:7-alpine
    command: redis-server --cluster-enabled yes --cluster-config-file nodes.conf
    volumes:
      - redis_2_data:/data

  redis-3:
    image: redis:7-alpine
    command: redis-server --cluster-enabled yes --cluster-config-file nodes.conf
    volumes:
      - redis_3_data:/data

volumes:
  postgres_data:
  redis_1_data:
  redis_2_data:
  redis_3_data:

secrets:
  postgres_password:
    file: ./secrets/postgres_password.txt

Load Balancer Configuration

# nginx.conf
upstream promptguard_backend {
    least_conn;
    server promptguard-api-1:8080 max_fails=3 fail_timeout=30s;
    server promptguard-api-2:8080 max_fails=3 fail_timeout=30s;
    server promptguard-api-3:8080 max_fails=3 fail_timeout=30s;
}

server {
    listen 443 ssl http2;
    server_name api.yourcompany.com;

    ssl_certificate /etc/ssl/certs/promptguard.crt;
    ssl_certificate_key /etc/ssl/certs/promptguard.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        proxy_pass http://promptguard_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeouts
        proxy_connect_timeout 5s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Rate limiting
        limit_req zone=api burst=100 nodelay;
    }

    location /health {
        access_log off;
        proxy_pass http://promptguard_backend/health;
    }
}

# Rate limiting
http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=1000r/m;
}

Security Hardening

Network Security

# kubernetes-network-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: promptguard-network-policy
  namespace: promptguard
spec:
  podSelector:
    matchLabels:
      app: promptguard
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: nginx-ingress
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: postgres
    ports:
    - protocol: TCP
      port: 5432
  - to:
    - podSelector:
        matchLabels:
          app: redis
    ports:
    - protocol: TCP
      port: 6379
  - to: []
    ports:
    - protocol: TCP
      port: 443  # HTTPS to LLM providers

Secret Management

# Using HashiCorp Vault
vault kv put secret/promptguard/api \
  openai_api_key="sk-..." \
  anthropic_api_key="sk-ant-..." \
  database_password="..." \
  jwt_secret="..." \
  encryption_key="..."

# Kubernetes secret from Vault
kubectl create secret generic promptguard-secrets \
  --from-literal=openai-api-key="$(vault kv get -field=openai_api_key secret/promptguard/api)" \
  --from-literal=anthropic-api-key="$(vault kv get -field=anthropic_api_key secret/promptguard/api)" \
  --from-literal=database-password="$(vault kv get -field=database_password secret/promptguard/api)"

RBAC Configuration

# promptguard-rbac.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: promptguard
  name: promptguard-operator
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: promptguard-operator-binding
  namespace: promptguard
subjects:
- kind: ServiceAccount
  name: promptguard-service-account
  namespace: promptguard
roleRef:
  kind: Role
  name: promptguard-operator
  apiGroup: rbac.authorization.k8s.io

Compliance

Persistent Audit Logs (SOC 2)

All security-relevant events are persisted to the audit_events table with tamper-resistant integrity hash chaining. Querying interaction logs: 
# Get all flagged events in the last 7 days
curl "https://api.promptguard.co/dashboard/interactions?flagged_only=true&days=7&page_size=100" \
  -H "Cookie: session=YOUR_SESSION_COOKIE"
Available filters:
ParameterDescription
project_idFilter by specific project ID
flagged_onlySet to true to see only blocked/redacted events
searchFree-text search for event reasoning
daysFilter by last N days
limit1-1000
Each event includes an integrity_hash (SHA-256) for tamper detection.

GDPR Compliance

Data Export (Right to Access): 
curl -X POST https://api.promptguard.co/dashboard/compliance/data-export \
  -H "Authorization: Bearer YOUR_JWT"
Returns all user data: profile, organizations, projects, subscriptions, and security events. Data Deletion (Right to Erasure): 
curl -X POST https://api.promptguard.co/dashboard/compliance/data-deletion \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{"confirmation": "DELETE MY DATA"}'
Cascading deletion of all user data. An audit record is created before deletion for compliance tracking.

Monitoring and Observability

Enterprise Monitoring Stack

# prometheus-config.yml
global:
  scrape_interval: 15s
  evaluation_interval: 15s

rule_files:
  - "promptguard-alerts.yml"

scrape_configs:
  - job_name: 'promptguard-api'
    static_configs:
      - targets: ['promptguard-api-1:8080', 'promptguard-api-2:8080', 'promptguard-api-3:8080']
    metrics_path: /metrics
    scrape_interval: 5s

  - job_name: 'postgres'
    static_configs:
      - targets: ['postgres-primary:9187']

  - job_name: 'redis'
    static_configs:
      - targets: ['redis-1:9121', 'redis-2:9121', 'redis-3:9121']

alerting:
  alertmanagers:
    - static_configs:
        - targets:
          - alertmanager:9093

Custom Alerting Rules

# promptguard-alerts.yml
groups:
- name: promptguard-critical
  rules:
  - alert: HighErrorRate
    expr: rate(promptguard_requests_total{status=~"5.."}[5m]) > 0.05
    for: 2m
    labels:
      severity: critical
    annotations:
      summary: "High error rate detected"
      description: "Error rate is {{ $value }} for {{ $labels.instance }}"

  - alert: SecurityThreatDetected
    expr: increase(promptguard_threats_flagged_total[1m]) > 10
    for: 0m
    labels:
      severity: critical
    annotations:
      summary: "Multiple security threats detected"
      description: "{{ $value }} threats flagged in the last minute"

  - alert: ComplianceViolation
    expr: promptguard_compliance_violations_total > 0
    for: 0m
    labels:
      severity: critical
    annotations:
      summary: "Compliance violation detected"
      description: "{{ $value }} compliance violations detected"

- name: promptguard-performance
  rules:
  - alert: HighLatency
    expr: histogram_quantile(0.95, rate(promptguard_request_duration_seconds_bucket[5m])) > 0.1
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "High latency detected"
      description: "95th percentile latency is {{ $value }}s"

  - alert: DatabaseConnectionsHigh
    expr: postgres_connections_active / postgres_connections_max > 0.8
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "Database connections high"
      description: "{{ $value }}% of database connections are active"

Grafana Dashboards

{
  "dashboard": {
    "title": "PromptGuard Enterprise Dashboard",
    "panels": [
      {
        "title": "Request Rate",
        "type": "graph",
        "targets": [
          {
            "expr": "rate(promptguard_requests_total[5m])",
            "legendFormat": "{{instance}}"
          }
        ]
      },
      {
        "title": "Security Events",
        "type": "stat",
        "targets": [
          {
            "expr": "sum(increase(promptguard_threats_flagged_total[1h]))",
            "legendFormat": "Threats Flagged"
          }
        ]
      },
      {
        "title": "Compliance Status",
        "type": "table",
        "targets": [
          {
            "expr": "promptguard_compliance_status",
            "format": "table"
          }
        ]
      },
      {
        "title": "Error Rate by Service",
        "type": "heatmap",
        "targets": [
          {
            "expr": "rate(promptguard_requests_total{status=~\"5..\"}[5m]) by (service)",
            "legendFormat": "{{service}}"
          }
        ]
      }
    ]
  }
}

Disaster Recovery

Backup Strategy

#!/bin/bash
# enterprise-backup.sh

# Database backup with encryption
pg_dump --host=postgres-primary --port=5432 --username=promptguard_user \
  --no-password --verbose --clean --no-owner --no-privileges \
  --format=custom promptguard | \
  gpg --cipher-algo AES256 --compress-algo 1 --symmetric \
    --output "/backups/promptguard-$(date +%Y%m%d-%H%M%S).sql.gpg"

# Redis backup
redis-cli --rdb /backups/redis-$(date +%Y%m%d-%H%M%S).rdb

# Configuration backup
tar -czf "/backups/config-$(date +%Y%m%d-%H%M%S).tar.gz" \
  /etc/promptguard/ /etc/nginx/ /etc/ssl/

# Upload to S3 with versioning
aws s3 cp /backups/ s3://promptguard-backups/$(date +%Y/%m/%d)/ \
  --recursive --storage-class GLACIER_IR

# Cleanup local backups older than 7 days
find /backups -name "*.gpg" -mtime +7 -delete
find /backups -name "*.rdb" -mtime +7 -delete
find /backups -name "*.tar.gz" -mtime +7 -delete

Disaster Recovery Runbook

# disaster-recovery.yml
recovery_procedures:
  complete_outage:
    rto: "1 hour"  # Recovery Time Objective
    rpo: "15 minutes"  # Recovery Point Objective
    steps:
      1. "Activate backup datacenter"
      2. "Restore database from latest backup"
      3. "Update DNS to point to backup infrastructure"
      4. "Verify all services are operational"
      5. "Notify stakeholders of recovery completion"

  database_failure:
    rto: "30 minutes"
    rpo: "5 minutes"
    steps:
      1. "Promote read replica to primary"
      2. "Update application configuration"
      3. "Restart application services"
      4. "Verify data integrity"

  security_incident:
    rto: "immediate"
    rpo: "0 minutes"
    steps:
      1. "Isolate affected systems"
      2. "Rotate all API keys and secrets"
      3. "Review audit logs for compromise"
      4. "Notify security team and customers"
      5. "Implement additional security measures"

Performance Optimization

Enterprise Performance Tuning

# enterprise-config.py
PERFORMANCE_CONFIG = {
    "connection_pooling": {
        "database_pool_size": 50,
        "database_max_overflow": 100,
        "redis_pool_size": 20,
        "connection_timeout": 30
    },
    "caching": {
        "policy_cache_ttl": 3600,  # 1 hour
        "user_cache_ttl": 1800,    # 30 minutes
        "rate_limit_cache_ttl": 60, # 1 minute
        "cache_compression": True
    },
    "async_processing": {
        "worker_processes": 4,
        "max_concurrent_requests": 1000,
        "request_timeout": 30,
        "batch_processing": True
    },
    "optimization": {
        "enable_http2": True,
        "gzip_compression": True,
        "static_asset_caching": True,
        "database_query_optimization": True
    }
}

Auto-scaling Configuration

# kubernetes-hpa.yml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: promptguard-hpa
  namespace: promptguard
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: promptguard-api
  minReplicas: 3
  maxReplicas: 20
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80
  - type: Pods
    pods:
      metric:
        name: requests_per_second
      target:
        type: AverageValue
        averageValue: "100"
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 10
        periodSeconds: 60
    scaleUp:
      stabilizationWindowSeconds: 60
      policies:
      - type: Percent
        value: 50
        periodSeconds: 60

Integration Examples

Enterprise SSO Integration (OIDC)

PromptGuard supports OIDC-based SSO configured per organization. Compatible with Okta, Azure AD, Google Workspace, Auth0, and any OIDC-compliant provider. SSO Flow:
  1. User visits https://api.promptguard.co/dashboard/auth/sso/{org-slug}/authorize
  2. PromptGuard redirects to IdP with PKCE challenge
  3. User authenticates at IdP
  4. IdP redirects back with authorization code
  5. PromptGuard exchanges code for tokens, retrieves user info
  6. User is auto-provisioned (if enabled) and logged in
Configuration (stored in organizations.settings.sso_config): 
{
  "sso_config": {
    "provider": "oidc",
    "issuer": "https://yourcompany.okta.com",
    "client_id": "0oa1234567890abcdef",
    "client_secret": "encrypted_secret_here",
    "allowed_domains": ["yourcompany.com"],
    "auto_provision": true
  }
}
Supported IdP Providers:
ProviderIssuer URL Format
Oktahttps://{domain}.okta.com
Azure ADhttps://login.microsoftonline.com/{tenant}/v2.0
Google Workspacehttps://accounts.google.com
Auth0https://{domain}.auth0.com
Any OIDCAny URL serving .well-known/openid-configuration

Enterprise API Gateway Integration

# kong-configuration.yml
_format_version: "3.0"

services:
- name: promptguard-api
  url: http://promptguard-backend:8080
  plugins:
  - name: rate-limiting-advanced
    config:
      limit:
      - 1000
      window_size:
      - 60
      identifier: consumer
      sync_rate: 10
      strategy: cluster

  - name: oauth2
    config:
      enable_client_credentials: true
      scopes:
      - read
      - write
      - admin
      token_expiration: 3600

  - name: prometheus
    config:
      per_consumer: true
      status_code_metrics: true
      latency_metrics: true
      bandwidth_metrics: true

routes:
- name: promptguard-v1
  service: promptguard-api
  paths:
  - /v1
  plugins:
  - name: request-size-limiting
    config:
      allowed_payload_size: 1024

  - name: response-transformer
    config:
      add:
        headers:
        - "X-API-Version: v1"
        - "X-Enterprise-Mode: enabled"

consumers:
- username: enterprise-client
  custom_id: ent-001
  oauth2_credentials:
  - name: enterprise-app
    client_id: enterprise-12345
    client_secret: secret-67890

Cost Optimization

Resource Planning

# cost-optimization.py
COST_OPTIMIZATION_CONFIG = {
    "resource_allocation": {
        "development": {
            "cpu_limit": "0.5",
            "memory_limit": "1Gi",
            "replicas": 1
        },
        "staging": {
            "cpu_limit": "1.0",
            "memory_limit": "2Gi",
            "replicas": 2
        },
        "production": {
            "cpu_limit": "2.0",
            "memory_limit": "4Gi",
            "replicas": 3,
            "auto_scaling": True
        }
    },
    "cost_controls": {
        "spot_instances": True,
        "scheduled_scaling": {
            "business_hours": "8-18",
            "weekend_scaling": "0.5x"
        },
        "reserved_capacity": "80%",
        "cost_alerts": {
            "monthly_budget": 10000,
            "alert_threshold": 0.8
        }
    }
}

Usage Analytics Dashboard

# enterprise-analytics.py
class EnterpriseAnalytics:
    def generate_cost_report(self, period="monthly"):
        """Generate detailed cost breakdown report."""
        return {
            "infrastructure_costs": {
                "compute": self.get_compute_costs(period),
                "storage": self.get_storage_costs(period),
                "networking": self.get_network_costs(period)
            },
            "llm_provider_costs": {
                "openai": self.get_openai_costs(period),
                "anthropic": self.get_anthropic_costs(period)
            },
            "security_events": {
                "threats_flagged": self.get_threats_flagged(period),
                "cost_savings": self.calculate_security_savings(period)
            },
            "recommendations": self.get_optimization_recommendations()
        }

    def get_optimization_recommendations(self):
        """Provide cost optimization recommendations."""
        return [
            "Consider increasing cache TTL for policy rules",
            "Scale down development environments during off-hours",
            "Use batch processing for non-critical requests",
            "Implement request deduplication to reduce LLM costs"
        ]

Best Practices Summary

  • Zero Trust Architecture: Verify every request and user
  • Defense in Depth: Multiple security layers and controls
  • Least Privilege: Minimal necessary access permissions
  • Regular Audits: Automated compliance and security scanning
  • Incident Response: Documented procedures and automation
  • Horizontal Scaling: Auto-scaling based on metrics
  • Connection Pooling: Efficient database and cache connections
  • Caching Strategy: Multi-layer caching for optimal performance
  • Resource Limits: CPU and memory constraints for stability
  • Load Testing: Regular performance validation under load
  • Infrastructure as Code: Version-controlled deployments
  • Blue-Green Deployments: Zero-downtime releases
  • Comprehensive Monitoring: Real-time metrics and alerting
  • Automated Backups: Regular, tested backup procedures
  • Documentation: Maintained runbooks and procedures
  • Data Classification: Understand and protect sensitive data
  • Audit Trails: Comprehensive logging and immutable records
  • Regular Assessments: Scheduled compliance reviews
  • Privacy by Design: Built-in privacy protections
  • Vendor Management: Ensure third-party compliance

Support and Migration

Enterprise Support Channels

  • 24/7 Support: Critical issue response within 1 hour
  • Dedicated CSM: Assigned Customer Success Manager
  • Architecture Review: Quarterly infrastructure assessments
  • Training Programs: Enterprise security and operations training
  • Migration Assistance: White-glove migration from existing solutions

Professional Services

  • Custom Integration: Tailored integration with existing systems
  • Security Assessment: Comprehensive security posture evaluation
  • Performance Tuning: Optimization for enterprise workloads
  • Compliance Consulting: Industry-specific compliance guidance
  • Disaster Recovery Planning: Business continuity strategy development

Enterprise Portal

Access enterprise dashboard and management tools

Professional Services

Get white-glove setup and migration assistance

Security Center

Configure advanced security policies and monitoring

Compliance Hub

Manage regulatory compliance and audit requirements
Need enterprise support? Contact our team at enterprise@promptguard.co for personalized deployment assistance.