The data boundary
Audit logs live on the platform. Administrative actions across your organization — config changes, key rotations, role updates, gateway registrations — are recorded centrally on the Guardway dashboard. View them from Settings → Audit Log.
Encryption
- In transit — every hop (your app → gateway → provider, dashboard → gateway, gateway → control plane) uses TLS 1.2+.
- At rest — provider API keys and other secrets are AES-256 encrypted on the gateway. Keys are decrypted only in memory for the duration of a request.
- Log redaction — secret-looking values (Bearer tokens,
sk-...keys,Authorizationheaders, password-like fields) are redacted from logs automatically.
Authentication
- Dashboard users authenticate via Supabase with email + password; activation invites expire in 1 hour. Session timeouts are configurable per user (see Console).
- Gateways authenticate to the control plane with a one-time registration token at first boot, then with long-lived derived credentials. You can revoke a gateway’s credentials from the dashboard at any time.
- Applications authenticate to the gateway with API keys you issue (see API keys) — per-key scopes, budgets, quotas, IP allow-lists, MCP access rules.
Authorization (RBAC)
Gateway-scoped roles:
See Access.
Container hardening
The gateway image ships with:- Non-root user at runtime.
- Read-only root filesystem.
- Dropped Linux capabilities — only the minimum set needed to bind ports and open outbound connections.
- Restricted seccomp profile.
Content safety
Built-in guardrails run on the gateway with low latency and no third-party dependency:- PII detection — SSN, credit card, email, phone, API key patterns.
- Hate speech / toxicity.
- Prompt injection — jailbreak and instruction-override patterns.
- Keyword filters — custom allow and deny lists.
- IP allow / block-lists.
Data retention
- On the gateway — logs and traces follow whatever retention you configure. Default is rolling local storage; mount a persistent volume at
/var/lib/guardwayto survive restarts. - On the cloud dashboard — aggregate usage and spend metrics, plus administrative audit logs, are retained for the life of your subscription. There are no raw request or response bodies stored in the cloud to retain.
Compliance
Guardway’s architecture is built to support:- SOC 2 — centralized auth, RBAC, audit logging, TLS in transit, key management, access reviews.
- HIPAA — centralized audit logs, PII guardrails, per-user access, automatic logoff (see Console).
- PCI DSS — encryption at rest for secrets, credit-card PII detection, unique user identification, full audit trail.
- GDPR — PII detection and redaction, data minimization (no prompt bodies leave your network), incident-response support via audit log export.