| Identity |
API key issuance + rotation + audit. Admin authn via cloud-native MFA. PIV/IA-2(12) tracked as POAM-011. |
End-user authn via your IdP. API key custody + protection per your internal policy. |
| Data plane |
Routes inference requests. Pre-flight + post-flight detection. Audit metadata persistence. ZERO persistence of prompt + response bodies. |
Prompt construction. Response handling. Decision-making on returned content. |
| Encryption |
TLS 1.2 over FIPS 140-2 modules end-to-end. CMK at rest (AWS, GCP CMEK, Azure BYOK HSM L3). |
Optional client-side encryption before sending. Your CMK if you BYOK. |
| Network |
VPC + private subnets + VPCEs + NAT. Single static egress EIP for customer allowlists. |
Your caller network. Your egress controls. Mutual TLS if required. |
| Logging |
Per-request audit row (metadata only). CloudTrail 7yr. App logs 90d. Access logs 365d. |
Your application logs. Correlation against your IdP. Tenant-side SIEM. |
| Incident response |
Notification SLA per pricing tier ({ctx.gateway_policy.get('pricing_tier','recon')}). Forensic metadata on request. |
Your incident response plan. Customer-side containment of breached app surfaces. |
| Personnel |
Optimal personnel security per Optimal SSP § AT/PS controls. |
Your personnel security per your applicable framework. |
| Backup / recovery |
DDB PITR (35d) for audit metadata. CloudTrail Glacier @ 1y, 7yr retention. |
Your application state, your downstream systems. |