Portkey Security & Compliance
SOC 2 certified infrastructure, virtual key management, PII protection, full audit trails, and enterprise access controls enforced at the gateway layer
Overview:
Portkey Security & Compliance delivers enterprise-grade governance for LLM deployments by enforcing security controls at the gateway layer rather than relying on individual application teams to implement them. SOC 2 Type II certified infrastructure, virtual key management, PII protection, budget enforcement, and full audit trails are all applied centrally to every request passing through the gateway.
For organisations in regulated industries or those operating under strict data handling requirements, Portkey also offers a fully self-hosted deployment option. The open-source gateway runs on your own infrastructure with no data egress to Portkey servers, giving complete data sovereignty while retaining the same security controls available in the managed cloud.
- SOC 2 Type II certified managed cloud with annual third-party audits.
- Self-hosted deployment option for air-gapped and highly regulated environments.
- Virtual key management – scoped API keys issued to teams and services without exposing raw provider credentials.
- PII detection and auto-redaction across 20+ entity types on prompts and responses.
- Full request and response audit log with user ID, timestamp, model, tokens, and cost – exportable for compliance reviews.
- Hard and soft budget limits per team, project, and environment with real-time overage alerts.
- Rate limiting per virtual key to prevent abuse and manage provider capacity.
- GDPR compliant with a zero data retention (ZDR) option available on Enterprise tier.
SOC 2 Type II Certification
Portkey's managed cloud is SOC 2 Type II certified with annual third-party audits. For organisations that require it, a self-hosted deployment option is available for air-gapped and highly regulated environments where no data can leave the organisation's own infrastructure.
- SOC 2 Type II certified managed cloud.
- Annual third-party security audits.
- Self-hosted option for air-gapped environments.
- GDPR compliant with zero data retention (ZDR) option.
Virtual Key Management
Store raw LLM provider API keys in Portkey's encrypted vault and issue scoped virtual keys to individual teams, applications, and environments. Rotate or revoke access at any time without touching application code, and review the full usage audit log per key.
- Encrypted vault for all provider credentials.
- Scoped virtual keys per team, service, or environment.
- Instant rotation and revocation without code changes.
- Full usage audit log per virtual key.
PII Detection & Redaction
Automatically detect and redact personally identifiable information – names, email addresses, credit card numbers, and more – before prompts reach external LLM providers and before responses reach end users. Designed to support GDPR and data minimisation requirements.
- 20+ PII entity types supported.
- Scanning on both prompt input and model response output.
- Auto-redaction or hard block on detection.
- Full event log per triggered rule.
Full Audit Trail
Every request and response is logged with user ID, timestamp, model used, token counts, and cost. Logs are exportable in structured formats for compliance reviews, security investigations, and legal audits, with configurable retention policies per environment.
- Full request and response log with 40+ metadata fields.
- User ID, timestamp, model, tokens, and cost per entry.
- Exportable for compliance, security, and legal requirements.
- Configurable retention policy per environment.
Budget & Rate Limit Enforcement
Set hard and soft spend limits per team, project, or virtual key at the gateway layer. Real-time cost tracking and overage alerts prevent runaway AI costs before they become a problem, with rate limiting applied per key to manage provider capacity.
- Hard and soft spend limits per team and project.
- Per-virtual-key rate limiting (requests per minute and tokens per minute).
- Real-time cost tracking with overage alerts.
- Alerts via dashboard, email, or webhook.
Self-Hosted Deployment
Deploy the open-source Portkey gateway on your own infrastructure for complete data sovereignty. No request or response data egresses to Portkey servers. Self-hosted deployments support Kubernetes, Docker, and private VPC configurations, and are fully auditable as open-source software.
- Full data sovereignty – no egress to Portkey servers.
- Kubernetes, Docker, and private VPC support.
- Open-source and fully auditable codebase.
- Active/active cluster configuration for high availability.
Enterprise Access Controls
Manage user access to the Portkey dashboard and prompt library with role-based access control. SSO and SAML integration are available on the Enterprise tier, enabling centralised identity management through your existing identity provider.
- Role-based access control per team and project.
- SSO and SAML support on Enterprise tier.
- Centralised identity provider integration.
- Per-virtual-key permission scoping.
Zero Data Retention (ZDR)
For organisations with strict data handling requirements, Portkey's zero data retention option ensures that no prompt or response content is stored on Portkey infrastructure. All gateway functionality – routing, caching, retries, and observability metadata – continues to operate with ZDR enabled.
Compliance and Observability Integration
Native integrations with Datadog, Grafana, and OpenTelemetry enable audit log data and security events to flow into your existing monitoring and compliance tooling. Every guardrail trigger, blocked request, and budget overage is available as a structured event for downstream processing.
- Native Datadog, Grafana, and OpenTelemetry integrations.
- Structured security event export for SIEM tools.
- Guardrail trigger and budget overage events available via webhook.
- Full observability metadata without storing prompt content under ZDR.
Portkey Security & Compliance Specifications:
Table 1. Security and Compliance Capabilities |
||
|---|---|---|
| Cloud (Managed) | Self-Hosted (Enterprise) | |
| Certification | SOC 2 Type II, GDPR compliant | Inherits your own compliance posture |
| Data sovereignty | ZDR option available (no prompt/response storage) | Full sovereignty – no egress to Portkey |
| PII entity types | 20+ entity types including names, emails, phone numbers, credit card numbers, and national identifiers | |
| Virtual key management | Encrypted vault, scoped keys per team/service/environment, instant rotation and revocation | |
| Audit log retention | 30 days (extendable) | Configurable (your storage) |
| Access control | Role-based per team and project | Role-based + SSO/SAML on Enterprise tier |
| Deployment options | Managed cloud (US, EU) | Kubernetes, Docker, private VPC |
| High availability | 99.99% uptime SLA, multi-region | Active/active cluster configuration |
| Table 2. Integration and Compatibility |
|---|
| Identity & Access |
| Role-based access control per team and project. SSO and SAML support on Enterprise tier via your existing identity provider. |
| Observability |
| Native integrations with Datadog, Grafana, Langfuse, and OpenTelemetry. Structured security events exportable to SIEM tools. |
| Alerting |
| Real-time overage and guardrail trigger alerts via dashboard notification, email, and outbound webhook. |
| Guardrails Integration |
| PII detection and content moderation enforced via Portkey Guardrails at the gateway layer. Works across all 1,600+ supported models. |
| SDKs |
| Python and JavaScript/TypeScript SDKs. Full OpenAI SDK compatibility – security controls apply without additional integration work. |
| Table 3. Key Management and Budget Controls |
|---|
| Virtual Key Management |
| Encrypted credential vault. Scoped keys per team, service, and environment. Instant rotation and revocation. Full usage audit log per key. |
| Budget Controls |
| Hard and soft spend limits per team, project, and virtual key. Real-time cost tracking with overage alerts via dashboard, email, or webhook. |
| Rate Limiting |
| Per-virtual-key limits on requests per minute and tokens per minute. Soft alert and hard block thresholds configurable per key. |
| Audit Log |
| Full request and response log with 40+ metadata fields including user ID, timestamp, model, tokens, and cost. Exportable for compliance and legal review. |
| Zero Data Retention |
| ZDR option ensures no prompt or response content is stored on Portkey infrastructure. All routing, caching, and observability metadata continues to function. |