Skip to main content
The one question your security team will ask is “where does our data go?” Shadow AI gives you three answers, and you keep the same dashboard in all of them. Clients point at whichever you choose with a single setting (base_url).
ModeWhere scanning happensWhere you review itYour prompts leave your network?
Cloud (default)PromptGuard cloudpromptguard.coYes — to our cloud engine
Hybridyour serverspromptguard.coNo — only verdicts/metadata (configurable)
Air-gappedyour serversa local copy of the dashboardNever — no outbound at all
Cloud is the fastest way to start. Most security-conscious buyers run hybrid: scanning stays on their infrastructure, but they still get one clean cloud dashboard. Pick air-gapped only if you truly can’t allow outbound traffic.

Hybrid — scan on your servers, review in the cloud

Run the engine on your own infrastructure and let only the results flow to the cloud dashboard. On the engine, set:
DEPLOYMENT_MODE=data_plane
CONTROL_PLANE_URL=https://api.promptguard.co
INSTANCE_TOKEN=<your per-instance token>
FORWARD_MODE=content      # or "metadata" — send only counts/decision/threat, never prompt text
Each scanned event is recorded locally first, then reliably forwarded to the cloud (ordered, retried automatically if the link drops — nothing is lost during an outage). Policies you author in the cloud are pulled down automatically. Each engine authenticates with its own token and can only write events for your organization.
Set FORWARD_MODE=metadata to keep per-request visibility and billing in the cloud dashboard while guaranteeing no prompt content ever leaves your network — only the verdict, threat type, and counts do.

Air-gapped — fully offline

The engine and a local copy of the dashboard run entirely inside your network with no outbound connection. Everything you need to review activity — verdicts, threat types, and masked metadata — lives in the local dashboard and its SQLite event log, so you never need to reach the cloud to operate. When you do need to move data between an isolated site and another environment, you do it deliberately. The local event log is the system of record: it can be queried directly, and the import endpoint that ingests signed event bundles verifies both signature and tenant before accepting anything.
Tooling that packages the local event log into tamper-proof signed bundles for transfer across an air gap is available on request and on the near-term roadmap. If you need it for an isolated deployment, contact support@promptguard.co — we don’t ship a generic export script today, so don’t script against one.
In air-gapped mode your dashboard is the local instance — not promptguard.co. Combining data across sites is done with signed bundles, not a live link, and a tampered bundle is rejected.

Which one is right for you

Cloud

Fastest to deploy, full real-time dashboard. Great for getting started.

Hybrid

Scanning on your infra, one cloud dashboard. The common choice for security-sensitive teams.

Air-gapped

No outbound at all — local dashboard, signed bundles. For regulated or isolated environments.