> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Enterprise Setup

> Complete guide for deploying PromptGuard in enterprise environments with organizations, SSO, RBAC, compliance, and security controls

<Info>
  PromptGuard Enterprise provides multi-tenancy, SSO, role-based access control, persistent audit logs, IP allowlisting, and custom billing -- all built-in. No separate deployment needed.

  For custom Enterprise plans, contact us at [enterprise@promptguard.co](mailto:enterprise@promptguard.co).
</Info>

## Enterprise Features Overview

### What's Included

| Feature                   | Description                                                               |
| ------------------------- | ------------------------------------------------------------------------- |
| **Organizations**         | Team workspaces with role-based membership                                |
| **RBAC**                  | Owner, Admin, Member, Viewer roles with granular permissions              |
| **SSO (OIDC)**            | Single sign-on via Okta, Azure AD, Google Workspace, or any OIDC provider |
| **Persistent Audit Logs** | SOC 2-ready audit trail with integrity hash chain                         |
| **GDPR Compliance**       | Data export and deletion endpoints                                        |
| **IP Allowlisting**       | Restrict API access to specific IP ranges                                 |
| **Webhook Signing**       | HMAC-SHA256 signatures for webhook verification                           |
| **Custom Retention**      | Configure log retention per organization                                  |
| **Custom Rate Limits**    | Per-organization rate limit overrides                                     |
| **Idempotency Keys**      | Safe API retries via `Idempotency-Key` header                             |

## Getting Started

### 1. Create Your Organization

```bash theme={"system"}
curl -X POST https://api.promptguard.co/dashboard/organizations/ \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Acme Corp",
    "slug": "acme-corp"
  }'
```

### 2. Invite Team Members

```bash theme={"system"}
curl -X POST https://api.promptguard.co/dashboard/organizations/{org_id}/invitations \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "X-Organization-Id: {org_id}" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "colleague@acme.com",
    "role": "member"
  }'
```

### 3. Set Organization Context

All dashboard API calls accept the `X-Organization-Id` header to scope operations to your organization:

```bash theme={"system"}
curl https://api.promptguard.co/dashboard/projects/ \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "X-Organization-Id: YOUR_ORG_ID"
```

## RBAC (Role-Based Access Control)

### Role Hierarchy

| Role       | Permissions                                                  |
| ---------- | ------------------------------------------------------------ |
| **Owner**  | Full control: delete org, transfer ownership, manage billing |
| **Admin**  | Manage members, billing, org settings, invite members        |
| **Member** | Create/edit projects, manage API keys, configure policies    |
| **Viewer** | Read-only: view projects, analytics, interactions            |

### Enforcing Roles

Roles are enforced server-side. No client-side bypasses possible:

```python theme={"system"}
# Backend example - endpoint requires admin role
@router.delete("/{org_id}/members/{user_id}")
async def remove_member(
    org_id: UUID,
    user_id: UUID,
    current_user = Depends(get_current_user),
    org = Depends(require_org_role("admin")),
):
    ...
```

## Self-Hosted Deployment

Run the entire PromptGuard engine — API, dashboard, database, cache — on **your**
infrastructure. Prompts, verdicts, and events never leave your network; the
Shadow AI agents on your fleet point at your engine instead of our cloud.

<Note>
  Self-hosting is part of the Enterprise agreement: you receive source access
  (Business Source License — you can audit exactly what the engine does with
  your data), a signed license file, and the deployment package described here.
  Contact [sales@promptguard.co](mailto:sales@promptguard.co) to get set up.
</Note>

### Deploy with Docker Compose

The deployment package ships a hardened Compose stack (API with read-only
filesystem and dropped capabilities, Postgres, Redis, dashboard, optional
nginx). From the package root:

```bash theme={"system"}
cd deploy
JWT_SECRET=$(openssl rand -hex 32) \
API_KEY_ENCRYPTION_KEY=$(openssl rand -base64 32) \
API_KEY_SALT=$(openssl rand -hex 16) \
SELF_HOST_LICENSE=$(base64 < license.json) \
docker compose up -d

curl http://localhost:8080/health   # engine up
```

Key environment choices (all documented inline in `deploy/docker-compose.yml`):

| Variable                             | What it controls                                                                  |
| ------------------------------------ | --------------------------------------------------------------------------------- |
| `DEPLOYMENT_MODE=airgap`             | Default. No outbound calls from the engine.                                       |
| `ML_INFERENCE_MODE=local`            | Bundled ML detection model, fully offline (`off` = deterministic detectors only). |
| `SELF_HOST_LICENSE` / `LICENSE_FILE` | Your signed license — inline base64, or a mounted file.                           |
| `PROMPTGUARD_LICENSE_GRACE_DAYS`     | Renewal buffer after license expiry.                                              |

### Deploy with Helm (Kubernetes)

```bash theme={"system"}
helm install promptguard deploy/helm/promptguard \
  --set license.inline="$(base64 < license.json)" \
  --set api.secrets.jwtSecret="$(openssl rand -hex 32)"
```

The chart includes HPA autoscaling, pod disruption budgets, ingress, and an
external-database option (`database.url`) for managed Postgres.

### How licensing works (and why it is privacy-safe)

Your license is an **Ed25519-signed file** verified **locally** against
PromptGuard's public verification key (embedded in the deployment package).
There is no license server in the request path and no content egress:

* **Signature verification is local and offline** — the engine checks the
  signature and expiry itself, on startup.
* **Air-gapped mode makes zero outbound calls.** With `DEPLOYMENT_MODE=airgap`
  (the deployment package default) the license heartbeat is disabled entirely —
  the license is enforced by signature and expiry alone.
* **Connected mode's only outbound call is a daily, metadata-only heartbeat**
  (license id, node fingerprint, customer name — never prompts, verdicts, or
  any request content). If the heartbeat can't get out, the engine keeps
  serving through a configurable grace window
  (`PROMPTGUARD_LICENSE_GRACE_DAYS`).
* **What you can verify yourself:** the license and heartbeat code paths are in
  the source you receive (`shared/licensing/`, `shared/billing/license.py`) —
  auditable end-to-end, including exactly what the heartbeat payload contains.

### Point your Shadow AI fleet at your engine

```bash theme={"system"}
pgshadow login --base-url https://guard.internal.yourcompany.com/api/v1
```

The agent is identical in cloud and self-host modes — only the engine URL
changes. Detection, redaction, and event storage all happen inside your
perimeter.

### Load Balancer Configuration

```nginx theme={"system"}
# nginx.conf
upstream promptguard_backend {
    least_conn;
    server promptguard-api-1:8080 max_fails=3 fail_timeout=30s;
    server promptguard-api-2:8080 max_fails=3 fail_timeout=30s;
    server promptguard-api-3:8080 max_fails=3 fail_timeout=30s;
}

server {
    listen 443 ssl http2;
    server_name api.yourcompany.com;

    ssl_certificate /etc/ssl/certs/promptguard.crt;
    ssl_certificate_key /etc/ssl/certs/promptguard.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512;

    # Security headers
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        proxy_pass http://promptguard_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Timeouts
        proxy_connect_timeout 5s;
        proxy_send_timeout 60s;
        proxy_read_timeout 60s;

        # Rate limiting
        limit_req zone=api burst=100 nodelay;
    }

    location /health {
        access_log off;
        proxy_pass http://promptguard_backend/health;
    }
}

# Rate limiting
http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=1000r/m;
}
```

## Security Hardening

### Network Security

```yaml theme={"system"}
# kubernetes-network-policy.yml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: promptguard-network-policy
  namespace: promptguard
spec:
  podSelector:
    matchLabels:
      app: promptguard
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: nginx-ingress
    ports:
    - protocol: TCP
      port: 8080
  egress:
  - to:
    - podSelector:
        matchLabels:
          app: postgres
    ports:
    - protocol: TCP
      port: 5432
  - to:
    - podSelector:
        matchLabels:
          app: redis
    ports:
    - protocol: TCP
      port: 6379
  - to: []
    ports:
    - protocol: TCP
      port: 443  # HTTPS to LLM providers
```

### Secret Management

```bash theme={"system"}
# Using HashiCorp Vault
vault kv put secret/promptguard/api \
  openai_api_key="sk-..." \
  anthropic_api_key="sk-ant-..." \
  database_password="..." \
  jwt_secret="..." \
  encryption_key="..."

# Kubernetes secret from Vault
kubectl create secret generic promptguard-secrets \
  --from-literal=openai-api-key="$(vault kv get -field=openai_api_key secret/promptguard/api)" \
  --from-literal=anthropic-api-key="$(vault kv get -field=anthropic_api_key secret/promptguard/api)" \
  --from-literal=database-password="$(vault kv get -field=database_password secret/promptguard/api)"
```

### RBAC Configuration

```yaml theme={"system"}
# promptguard-rbac.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: promptguard
  name: promptguard-operator
rules:
- apiGroups: [""]
  resources: ["pods", "services", "configmaps", "secrets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]
- apiGroups: ["apps"]
  resources: ["deployments", "replicasets"]
  verbs: ["get", "list", "watch", "create", "update", "patch"]

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: promptguard-operator-binding
  namespace: promptguard
subjects:
- kind: ServiceAccount
  name: promptguard-service-account
  namespace: promptguard
roleRef:
  kind: Role
  name: promptguard-operator
  apiGroup: rbac.authorization.k8s.io
```

## Compliance

### Persistent Audit Logs (SOC 2)

All security-relevant events are persisted to the `audit_events` table with tamper-resistant integrity hash chaining.

**Querying interaction logs:**

```bash theme={"system"}
# Get all flagged events in the last 7 days
curl "https://api.promptguard.co/dashboard/interactions?flagged_only=true&days=7&page_size=100" \
  -H "Cookie: session=YOUR_SESSION_COOKIE"
```

**Available filters:**

| Parameter      | Description                                     |
| -------------- | ----------------------------------------------- |
| `project_id`   | Filter by specific project ID                   |
| `flagged_only` | Set to true to see only blocked/redacted events |
| `search`       | Free-text search for event reasoning            |
| `days`         | Filter by last N days                           |
| `limit`        | 1-1000                                          |

Each event includes an `integrity_hash` (SHA-256) for tamper detection.

### GDPR Compliance

**Data Export** (Right to Access):

```bash theme={"system"}
curl -X POST https://api.promptguard.co/dashboard/compliance/data-export \
  -H "Authorization: Bearer YOUR_JWT"
```

Returns all user data: profile, organizations, projects, subscriptions, and security events.

**Data Deletion** (Right to Erasure):

```bash theme={"system"}
curl -X POST https://api.promptguard.co/dashboard/compliance/data-deletion \
  -H "Authorization: Bearer YOUR_JWT" \
  -H "Content-Type: application/json" \
  -d '{"confirmation": "DELETE MY DATA"}'
```

Cascading deletion of all user data. An audit record is created before deletion for compliance tracking.

## Monitoring and Observability

### Enterprise Monitoring Stack

```yaml theme={"system"}
# prometheus-config.yml
global:
  scrape_interval: 15s
  evaluation_interval: 15s

rule_files:
  - "promptguard-alerts.yml"

scrape_configs:
  - job_name: 'promptguard-api'
    static_configs:
      - targets: ['promptguard-api-1:8080', 'promptguard-api-2:8080', 'promptguard-api-3:8080']
    metrics_path: /metrics
    scrape_interval: 5s

  - job_name: 'postgres'
    static_configs:
      - targets: ['postgres-primary:9187']

  - job_name: 'redis'
    static_configs:
      - targets: ['redis-1:9121', 'redis-2:9121', 'redis-3:9121']

alerting:
  alertmanagers:
    - static_configs:
        - targets:
          - alertmanager:9093
```

### Custom Alerting Rules

```yaml theme={"system"}
# promptguard-alerts.yml
groups:
- name: promptguard-critical
  rules:
  - alert: HighErrorRate
    expr: rate(promptguard_requests_total{status=~"5.."}[5m]) > 0.05
    for: 2m
    labels:
      severity: critical
    annotations:
      summary: "High error rate detected"
      description: "Error rate is {{ $value }} for {{ $labels.instance }}"

  - alert: SecurityThreatDetected
    expr: increase(promptguard_threats_flagged_total[1m]) > 10
    for: 0m
    labels:
      severity: critical
    annotations:
      summary: "Multiple security threats detected"
      description: "{{ $value }} threats flagged in the last minute"

  - alert: ComplianceViolation
    expr: promptguard_compliance_violations_total > 0
    for: 0m
    labels:
      severity: critical
    annotations:
      summary: "Compliance violation detected"
      description: "{{ $value }} compliance violations detected"

- name: promptguard-performance
  rules:
  - alert: HighLatency
    expr: histogram_quantile(0.95, rate(promptguard_request_duration_seconds_bucket[5m])) > 0.1
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "High latency detected"
      description: "95th percentile latency is {{ $value }}s"

  - alert: DatabaseConnectionsHigh
    expr: postgres_connections_active / postgres_connections_max > 0.8
    for: 5m
    labels:
      severity: warning
    annotations:
      summary: "Database connections high"
      description: "{{ $value }}% of database connections are active"
```

### Grafana Dashboards

```json theme={"system"}
{
  "dashboard": {
    "title": "PromptGuard Enterprise Dashboard",
    "panels": [
      {
        "title": "Request Rate",
        "type": "graph",
        "targets": [
          {
            "expr": "rate(promptguard_requests_total[5m])",
            "legendFormat": "{{instance}}"
          }
        ]
      },
      {
        "title": "Security Events",
        "type": "stat",
        "targets": [
          {
            "expr": "sum(increase(promptguard_threats_flagged_total[1h]))",
            "legendFormat": "Threats Flagged"
          }
        ]
      },
      {
        "title": "Compliance Status",
        "type": "table",
        "targets": [
          {
            "expr": "promptguard_compliance_status",
            "format": "table"
          }
        ]
      },
      {
        "title": "Error Rate by Service",
        "type": "heatmap",
        "targets": [
          {
            "expr": "rate(promptguard_requests_total{status=~\"5..\"}[5m]) by (service)",
            "legendFormat": "{{service}}"
          }
        ]
      }
    ]
  }
}
```

## Disaster Recovery

### Backup Strategy

```bash theme={"system"}
#!/bin/bash
# enterprise-backup.sh

# Database backup with encryption
pg_dump --host=postgres-primary --port=5432 --username=promptguard_user \
  --no-password --verbose --clean --no-owner --no-privileges \
  --format=custom promptguard | \
  gpg --cipher-algo AES256 --compress-algo 1 --symmetric \
    --output "/backups/promptguard-$(date +%Y%m%d-%H%M%S).sql.gpg"

# Redis backup
redis-cli --rdb /backups/redis-$(date +%Y%m%d-%H%M%S).rdb

# Configuration backup
tar -czf "/backups/config-$(date +%Y%m%d-%H%M%S).tar.gz" \
  /etc/promptguard/ /etc/nginx/ /etc/ssl/

# Upload to S3 with versioning
aws s3 cp /backups/ s3://promptguard-backups/$(date +%Y/%m/%d)/ \
  --recursive --storage-class GLACIER_IR

# Cleanup local backups older than 7 days
find /backups -name "*.gpg" -mtime +7 -delete
find /backups -name "*.rdb" -mtime +7 -delete
find /backups -name "*.tar.gz" -mtime +7 -delete
```

### Disaster Recovery Runbook

```yaml theme={"system"}
# disaster-recovery.yml
recovery_procedures:
  complete_outage:
    rto: "1 hour"  # Recovery Time Objective
    rpo: "15 minutes"  # Recovery Point Objective
    steps:
      1. "Activate backup datacenter"
      2. "Restore database from latest backup"
      3. "Update DNS to point to backup infrastructure"
      4. "Verify all services are operational"
      5. "Notify stakeholders of recovery completion"

  database_failure:
    rto: "30 minutes"
    rpo: "5 minutes"
    steps:
      1. "Promote read replica to primary"
      2. "Update application configuration"
      3. "Restart application services"
      4. "Verify data integrity"

  security_incident:
    rto: "immediate"
    rpo: "0 minutes"
    steps:
      1. "Isolate affected systems"
      2. "Rotate all API keys and secrets"
      3. "Review audit logs for compromise"
      4. "Notify security team and customers"
      5. "Implement additional security measures"
```

## Performance Optimization

### Enterprise Performance Tuning

```python theme={"system"}
# enterprise-config.py
PERFORMANCE_CONFIG = {
    "connection_pooling": {
        "database_pool_size": 50,
        "database_max_overflow": 100,
        "redis_pool_size": 20,
        "connection_timeout": 30
    },
    "caching": {
        "policy_cache_ttl": 3600,  # 1 hour
        "user_cache_ttl": 1800,    # 30 minutes
        "rate_limit_cache_ttl": 60, # 1 minute
        "cache_compression": True
    },
    "async_processing": {
        "worker_processes": 4,
        "max_concurrent_requests": 1000,
        "request_timeout": 30,
        "batch_processing": True
    },
    "optimization": {
        "enable_http2": True,
        "gzip_compression": True,
        "static_asset_caching": True,
        "database_query_optimization": True
    }
}
```

### Auto-scaling Configuration

```yaml theme={"system"}
# kubernetes-hpa.yml
apiVersion: autoscaling/v2
kind: HorizontalPodAutoscaler
metadata:
  name: promptguard-hpa
  namespace: promptguard
spec:
  scaleTargetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: promptguard-api
  minReplicas: 3
  maxReplicas: 20
  metrics:
  - type: Resource
    resource:
      name: cpu
      target:
        type: Utilization
        averageUtilization: 70
  - type: Resource
    resource:
      name: memory
      target:
        type: Utilization
        averageUtilization: 80
  - type: Pods
    pods:
      metric:
        name: requests_per_second
      target:
        type: AverageValue
        averageValue: "100"
  behavior:
    scaleDown:
      stabilizationWindowSeconds: 300
      policies:
      - type: Percent
        value: 10
        periodSeconds: 60
    scaleUp:
      stabilizationWindowSeconds: 60
      policies:
      - type: Percent
        value: 50
        periodSeconds: 60
```

## Integration Examples

### Enterprise SSO Integration (SAML & OIDC)

PromptGuard supports **SAML 2.0** and **OIDC** single sign-on, configured per organization. Compatible with Okta, Microsoft Entra ID, Google Workspace, Auth0, OneLogin, and any compliant provider.

<Note>
  The recommended path is **self-serve**: an org admin connects their IdP through a hosted setup portal — see [Single Sign-On (SSO)](/platform/sso) and [Directory Sync (SCIM)](/platform/scim). The direct-OIDC configuration below is the manual alternative for self-hosted deployments.
</Note>

**Direct OIDC flow (self-hosted):**

1. User visits `https://api.promptguard.co/dashboard/auth/sso/{org-slug}/authorize`
2. PromptGuard redirects to IdP with PKCE challenge
3. User authenticates at IdP
4. IdP redirects back with authorization code
5. PromptGuard exchanges code for tokens, retrieves user info
6. User is auto-provisioned (if enabled) and logged in

**Configuration** (stored in `organizations.settings.sso_config`):

```json theme={"system"}
{
  "sso_config": {
    "provider": "oidc",
    "issuer": "https://yourcompany.okta.com",
    "client_id": "0oa1234567890abcdef",
    "client_secret": "encrypted_secret_here",
    "allowed_domains": ["yourcompany.com"],
    "auto_provision": true
  }
}
```

**Supported IdP Providers:**

| Provider             | Issuer URL Format                                  |
| -------------------- | -------------------------------------------------- |
| **Okta**             | `https://{domain}.okta.com`                        |
| **Azure AD**         | `https://login.microsoftonline.com/{tenant}/v2.0`  |
| **Google Workspace** | `https://accounts.google.com`                      |
| **Auth0**            | `https://{domain}.auth0.com`                       |
| **Any OIDC**         | Any URL serving `.well-known/openid-configuration` |

### Enterprise API Gateway Integration

```yaml theme={"system"}
# kong-configuration.yml
_format_version: "3.0"

services:
- name: promptguard-api
  url: http://promptguard-backend:8080
  plugins:
  - name: rate-limiting-advanced
    config:
      limit:
      - 1000
      window_size:
      - 60
      identifier: consumer
      sync_rate: 10
      strategy: cluster

  - name: oauth2
    config:
      enable_client_credentials: true
      scopes:
      - read
      - write
      - admin
      token_expiration: 3600

  - name: prometheus
    config:
      per_consumer: true
      status_code_metrics: true
      latency_metrics: true
      bandwidth_metrics: true

routes:
- name: promptguard-v1
  service: promptguard-api
  paths:
  - /v1
  plugins:
  - name: request-size-limiting
    config:
      allowed_payload_size: 1024

  - name: response-transformer
    config:
      add:
        headers:
        - "X-API-Version: v1"
        - "X-Enterprise-Mode: enabled"

consumers:
- username: enterprise-client
  custom_id: ent-001
  oauth2_credentials:
  - name: enterprise-app
    client_id: enterprise-12345
    client_secret: secret-67890
```

## Cost Optimization

### Resource Planning

```python theme={"system"}
# cost-optimization.py
COST_OPTIMIZATION_CONFIG = {
    "resource_allocation": {
        "development": {
            "cpu_limit": "0.5",
            "memory_limit": "1Gi",
            "replicas": 1
        },
        "staging": {
            "cpu_limit": "1.0",
            "memory_limit": "2Gi",
            "replicas": 2
        },
        "production": {
            "cpu_limit": "2.0",
            "memory_limit": "4Gi",
            "replicas": 3,
            "auto_scaling": True
        }
    },
    "cost_controls": {
        "spot_instances": True,
        "scheduled_scaling": {
            "business_hours": "8-18",
            "weekend_scaling": "0.5x"
        },
        "reserved_capacity": "80%",
        "cost_alerts": {
            "monthly_budget": 10000,
            "alert_threshold": 0.8
        }
    }
}
```

### Usage Analytics Dashboard

```python theme={"system"}
# enterprise-analytics.py
class EnterpriseAnalytics:
    def generate_cost_report(self, period="monthly"):
        """Generate detailed cost breakdown report."""
        return {
            "infrastructure_costs": {
                "compute": self.get_compute_costs(period),
                "storage": self.get_storage_costs(period),
                "networking": self.get_network_costs(period)
            },
            "llm_provider_costs": {
                "openai": self.get_openai_costs(period),
                "anthropic": self.get_anthropic_costs(period)
            },
            "security_events": {
                "threats_flagged": self.get_threats_flagged(period),
                "cost_savings": self.calculate_security_savings(period)
            },
            "recommendations": self.get_optimization_recommendations()
        }

    def get_optimization_recommendations(self):
        """Provide cost optimization recommendations."""
        return [
            "Consider increasing cache TTL for policy rules",
            "Scale down development environments during off-hours",
            "Use batch processing for non-critical requests",
            "Implement request deduplication to reduce LLM costs"
        ]
```

## Best Practices Summary

<AccordionGroup>
  <Accordion title="Security Best Practices">
    * **Zero Trust Architecture**: Verify every request and user
    * **Defense in Depth**: Multiple security layers and controls
    * **Least Privilege**: Minimal necessary access permissions
    * **Regular Audits**: Automated compliance and security scanning
    * **Incident Response**: Documented procedures and automation
  </Accordion>

  <Accordion title="Performance Best Practices">
    * **Horizontal Scaling**: Auto-scaling based on metrics
    * **Connection Pooling**: Efficient database and cache connections
    * **Caching Strategy**: Multi-layer caching for optimal performance
    * **Resource Limits**: CPU and memory constraints for stability
    * **Load Testing**: Regular performance validation under load
  </Accordion>

  <Accordion title="Operational Best Practices">
    * **Infrastructure as Code**: Version-controlled deployments
    * **Blue-Green Deployments**: Zero-downtime releases
    * **Comprehensive Monitoring**: Real-time metrics and alerting
    * **Automated Backups**: Regular, tested backup procedures
    * **Documentation**: Maintained runbooks and procedures
  </Accordion>

  <Accordion title="Compliance Best Practices">
    * **Data Classification**: Understand and protect sensitive data
    * **Audit Trails**: Comprehensive logging and immutable records
    * **Regular Assessments**: Scheduled compliance reviews
    * **Privacy by Design**: Built-in privacy protections
    * **Vendor Management**: Ensure third-party compliance
  </Accordion>
</AccordionGroup>

## Support and Migration

### Enterprise Support Channels

* **24/7 Support**: Critical issue response within 1 hour
* **Dedicated CSM**: Assigned Customer Success Manager
* **Architecture Review**: Quarterly infrastructure assessments
* **Training Programs**: Enterprise security and operations training
* **Migration Assistance**: White-glove migration from existing solutions

### Professional Services

* **Custom Integration**: Tailored integration with existing systems
* **Security Assessment**: Comprehensive security posture evaluation
* **Performance Tuning**: Optimization for enterprise workloads
* **Compliance Consulting**: Industry-specific compliance guidance
* **Disaster Recovery Planning**: Business continuity strategy development

<CardGroup cols={2}>
  <Card title="Enterprise Portal" icon="building" href="https://enterprise.promptguard.co">
    Access enterprise dashboard and management tools
  </Card>

  <Card title="Professional Services" icon="handshake" href="mailto:enterprise@promptguard.co">
    Get white-glove setup and migration assistance
  </Card>

  <Card title="Security Center" icon="shield" href="/security/overview">
    Configure advanced security policies and monitoring
  </Card>

  <Card title="Compliance Hub" icon="certificate" href="/platform/audit-logs">
    Manage regulatory compliance and audit requirements
  </Card>
</CardGroup>

Need enterprise support? Contact our team at [enterprise@promptguard.co](mailto:enterprise@promptguard.co) for personalized deployment assistance.
