> ## Documentation Index
> Fetch the complete documentation index at: https://docs.promptguard.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Deployment Modes

> Decide where your prompts get scanned — in our cloud, on your own servers, or fully offline. Same dashboard either way.

The one question your security team will ask is *"where does our data go?"*
Shadow AI gives you three answers, and you keep the **same dashboard** in all of
them. Clients point at whichever you choose with a single setting (`base_url`).

| Mode                  | Where scanning happens | Where you review it               | Your prompts leave your network?               |
| --------------------- | ---------------------- | --------------------------------- | ---------------------------------------------- |
| **Cloud** *(default)* | PromptGuard cloud      | promptguard.co                    | Yes — to our cloud engine                      |
| **Hybrid**            | **your** servers       | promptguard.co                    | **No** — only verdicts/metadata (configurable) |
| **Air-gapped**        | **your** servers       | a **local** copy of the dashboard | **Never** — no outbound at all                 |

<Note>
  Cloud is the fastest way to start. Most security-conscious buyers run **hybrid**:
  scanning stays on their infrastructure, but they still get one clean cloud
  dashboard. Pick air-gapped only if you truly can't allow outbound traffic.
</Note>

## Hybrid — scan on your servers, review in the cloud

Run the engine on your own infrastructure and let only the **results** flow to
the cloud dashboard. On the engine, set:

```bash theme={"system"}
DEPLOYMENT_MODE=data_plane
CONTROL_PLANE_URL=https://api.promptguard.co
INSTANCE_TOKEN=<your per-instance token>
FORWARD_MODE=content      # or "metadata" — send only counts/decision/threat, never prompt text
```

Each scanned event is recorded locally first, then reliably forwarded to the
cloud (ordered, retried automatically if the link drops — nothing is lost during
an outage). Policies you author in the cloud are pulled down automatically. Each
engine authenticates with its own token and can only write events for **your**
organization.

<Tip>
  Set **`FORWARD_MODE=metadata`** to keep per-request visibility and billing in the
  cloud dashboard while guaranteeing **no prompt content ever leaves your
  network** — only the verdict, threat type, and counts do.
</Tip>

## Air-gapped — fully offline

The engine and a **local** copy of the dashboard run entirely inside your
network with no outbound connection. Everything you need to review activity —
verdicts, threat types, and masked metadata — lives in the local dashboard and
its SQLite event log, so you never need to reach the cloud to operate.

When you do need to move data between an isolated site and another environment,
you do it deliberately. The local event log is the system of record: it can be
queried directly, and the import endpoint that ingests signed event bundles
verifies both signature and tenant before accepting anything.

<Note>
  Tooling that packages the local event log into tamper-proof signed bundles for
  transfer across an air gap is available on request and on the near-term roadmap.
  If you need it for an isolated deployment, contact
  [support@promptguard.co](mailto:support@promptguard.co) — we don't ship a
  generic export script today, so don't script against one.
</Note>

<Warning>
  In air-gapped mode your dashboard is the **local** instance — not promptguard.co.
  Combining data across sites is done with signed bundles, not a live link, and a
  tampered bundle is rejected.
</Warning>

## Which one is right for you

<CardGroup cols={3}>
  <Card title="Cloud" icon="cloud">
    Fastest to deploy, full real-time dashboard. Great for getting started.
  </Card>

  <Card title="Hybrid" icon="arrows-left-right">
    Scanning on your infra, one cloud dashboard. The common choice for
    security-sensitive teams.
  </Card>

  <Card title="Air-gapped" icon="lock">
    No outbound at all — local dashboard, signed bundles. For regulated or
    isolated environments.
  </Card>
</CardGroup>
