Security Registry

1. Encryption in Transit

All network traffic routed through our marketing endpoints and managed Cloud Gateway is encrypted in transit using industry-standard Transport Layer Security (TLS 1.3). This prevents interception of payloads, credentials, and telemetry streams as they traverse the public internet.

2. Data Isolation and Storage Boundaries

We offer different levels of logical and physical data isolation depending on the plan you select:

• Self-Hosted VPC Boundary: The self-hosted Community Edition is completely containerized. All prompt keys, weights, and logs reside inside your privately controlled virtual private cloud (VPC). Under this deployment, no keys or data payloads are ever transmitted to or stored by Selixes.
• Transient Gateway Cloud Transit: The managed edge gateway processes API payloads to evaluate active limits (such as session cost caps, timeout controls, and PII filters). Prompt and response payloads are parsed in transient memory only and are not stored in any persistent data volume.
• Dedicated Private Deployment: For custom enterprise configurations, Selixes instances run as a dedicated private deployment (single-tenant isolation scoped per contract) with private network access rules.

3. Access Controls

API keys used to authenticate with the Selixes gateway are logically separated. If you are using our managed Cloud Gateway, your API keys are encrypted at rest using standard AES-256 encryption. We support role-based dashboard access, credential rotations, and immediate key revocation.

4. Auditable Telemetry

Selixes provides complete visibility into your LLM request histories. You can review active provider routing pathways, circuit breaker events, and latency checks directly in the observability logs. For self-hosted instances, logs are stored within your own local postgres/redis infrastructure, providing you with full data access and retention control.