PromptGuard Enterprise provides multi-tenancy, SSO, role-based access control, persistent audit logs, IP allowlisting, and custom billing — all built-in. No separate deployment needed.For custom Enterprise plans, contact us at enterprise@promptguard.co.
Enterprise Features Overview
What’s Included
| Feature | Description |
|---|---|
| Organizations | Team workspaces with role-based membership |
| RBAC | Owner, Admin, Member, Viewer roles with granular permissions |
| SSO (OIDC) | Single sign-on via Okta, Azure AD, Google Workspace, or any OIDC provider |
| Persistent Audit Logs | SOC 2-ready audit trail with integrity hash chain |
| GDPR Compliance | Data export and deletion endpoints |
| IP Allowlisting | Restrict API access to specific IP ranges |
| Webhook Signing | HMAC-SHA256 signatures for webhook verification |
| Custom Retention | Configure log retention per organization |
| Custom Rate Limits | Per-organization rate limit overrides |
| Idempotency Keys | Safe API retries via Idempotency-Key header |
Getting Started
1. Create Your Organization
2. Invite Team Members
3. Set Organization Context
All dashboard API calls accept theX-Organization-Id header to scope operations to your organization:
RBAC (Role-Based Access Control)
Role Hierarchy
| Role | Permissions |
|---|---|
| Owner | Full control: delete org, transfer ownership, manage billing |
| Admin | Manage members, billing, org settings, invite members |
| Member | Create/edit projects, manage API keys, configure policies |
| Viewer | Read-only: view projects, analytics, interactions |
Enforcing Roles
Roles are enforced server-side. No client-side bypasses possible:Self-Hosted Deployment
Run the entire PromptGuard engine — API, dashboard, database, cache — on your infrastructure. Prompts, verdicts, and events never leave your network; the Shadow AI agents on your fleet point at your engine instead of our cloud.Self-hosting is part of the Enterprise agreement: you receive source access
(Business Source License — you can audit exactly what the engine does with
your data), a signed license file, and the deployment package described here.
Contact sales@promptguard.co to get set up.
Deploy with Docker Compose
The deployment package ships a hardened Compose stack (API with read-only filesystem and dropped capabilities, Postgres, Redis, dashboard, optional nginx). From the package root:deploy/docker-compose.yml):
| Variable | What it controls |
|---|---|
DEPLOYMENT_MODE=airgap | Default. No outbound calls from the engine. |
ML_INFERENCE_MODE=local | Bundled ML detection model, fully offline (off = deterministic detectors only). |
SELF_HOST_LICENSE / LICENSE_FILE | Your signed license — inline base64, or a mounted file. |
PROMPTGUARD_LICENSE_GRACE_DAYS | Renewal buffer after license expiry. |
Deploy with Helm (Kubernetes)
database.url) for managed Postgres.
How licensing works (and why it is privacy-safe)
Your license is an Ed25519-signed file verified locally against PromptGuard’s public verification key (embedded in the deployment package). There is no license server in the request path and no content egress:- Signature verification is local and offline — the engine checks the signature and expiry itself, on startup.
- Air-gapped mode makes zero outbound calls. With
DEPLOYMENT_MODE=airgap(the deployment package default) the license heartbeat is disabled entirely — the license is enforced by signature and expiry alone. - Connected mode’s only outbound call is a daily, metadata-only heartbeat
(license id, node fingerprint, customer name — never prompts, verdicts, or
any request content). If the heartbeat can’t get out, the engine keeps
serving through a configurable grace window
(
PROMPTGUARD_LICENSE_GRACE_DAYS). - What you can verify yourself: the license and heartbeat code paths are in
the source you receive (
shared/licensing/,shared/billing/license.py) — auditable end-to-end, including exactly what the heartbeat payload contains.
Point your Shadow AI fleet at your engine
Load Balancer Configuration
Security Hardening
Network Security
Secret Management
RBAC Configuration
Compliance
Persistent Audit Logs (SOC 2)
All security-relevant events are persisted to theaudit_events table with tamper-resistant integrity hash chaining.
Querying interaction logs:
| Parameter | Description |
|---|---|
project_id | Filter by specific project ID |
flagged_only | Set to true to see only blocked/redacted events |
search | Free-text search for event reasoning |
days | Filter by last N days |
limit | 1-1000 |
integrity_hash (SHA-256) for tamper detection.
GDPR Compliance
Data Export (Right to Access):Monitoring and Observability
Enterprise Monitoring Stack
Custom Alerting Rules
Grafana Dashboards
Disaster Recovery
Backup Strategy
Disaster Recovery Runbook
Performance Optimization
Enterprise Performance Tuning
Auto-scaling Configuration
Integration Examples
Enterprise SSO Integration (SAML & OIDC)
PromptGuard supports SAML 2.0 and OIDC single sign-on, configured per organization. Compatible with Okta, Microsoft Entra ID, Google Workspace, Auth0, OneLogin, and any compliant provider.The recommended path is self-serve: an org admin connects their IdP through a hosted setup portal — see Single Sign-On (SSO) and Directory Sync (SCIM). The direct-OIDC configuration below is the manual alternative for self-hosted deployments.
- User visits
https://api.promptguard.co/dashboard/auth/sso/{org-slug}/authorize - PromptGuard redirects to IdP with PKCE challenge
- User authenticates at IdP
- IdP redirects back with authorization code
- PromptGuard exchanges code for tokens, retrieves user info
- User is auto-provisioned (if enabled) and logged in
organizations.settings.sso_config):
| Provider | Issuer URL Format |
|---|---|
| Okta | https://{domain}.okta.com |
| Azure AD | https://login.microsoftonline.com/{tenant}/v2.0 |
| Google Workspace | https://accounts.google.com |
| Auth0 | https://{domain}.auth0.com |
| Any OIDC | Any URL serving .well-known/openid-configuration |
Enterprise API Gateway Integration
Cost Optimization
Resource Planning
Usage Analytics Dashboard
Best Practices Summary
Security Best Practices
Security Best Practices
- Zero Trust Architecture: Verify every request and user
- Defense in Depth: Multiple security layers and controls
- Least Privilege: Minimal necessary access permissions
- Regular Audits: Automated compliance and security scanning
- Incident Response: Documented procedures and automation
Performance Best Practices
Performance Best Practices
- Horizontal Scaling: Auto-scaling based on metrics
- Connection Pooling: Efficient database and cache connections
- Caching Strategy: Multi-layer caching for optimal performance
- Resource Limits: CPU and memory constraints for stability
- Load Testing: Regular performance validation under load
Operational Best Practices
Operational Best Practices
- Infrastructure as Code: Version-controlled deployments
- Blue-Green Deployments: Zero-downtime releases
- Comprehensive Monitoring: Real-time metrics and alerting
- Automated Backups: Regular, tested backup procedures
- Documentation: Maintained runbooks and procedures
Compliance Best Practices
Compliance Best Practices
- Data Classification: Understand and protect sensitive data
- Audit Trails: Comprehensive logging and immutable records
- Regular Assessments: Scheduled compliance reviews
- Privacy by Design: Built-in privacy protections
- Vendor Management: Ensure third-party compliance
Support and Migration
Enterprise Support Channels
- 24/7 Support: Critical issue response within 1 hour
- Dedicated CSM: Assigned Customer Success Manager
- Architecture Review: Quarterly infrastructure assessments
- Training Programs: Enterprise security and operations training
- Migration Assistance: White-glove migration from existing solutions
Professional Services
- Custom Integration: Tailored integration with existing systems
- Security Assessment: Comprehensive security posture evaluation
- Performance Tuning: Optimization for enterprise workloads
- Compliance Consulting: Industry-specific compliance guidance
- Disaster Recovery Planning: Business continuity strategy development
Enterprise Portal
Access enterprise dashboard and management tools
Professional Services
Get white-glove setup and migration assistance
Security Center
Configure advanced security policies and monitoring
Compliance Hub
Manage regulatory compliance and audit requirements