LLM Gateway - Security & Privacy Version: 1.0
Last Updated: December 2024
The LLM Governance Gateway is designed with security-first principles to protect enterprise data while enabling LLM capabilities.
Principle
Implementation
Zero Trust Every request authenticated and authorized
Defense in Depth Multiple security layers
Least Privilege Minimal permissions by default
Data Minimization Only store what's necessary
Encryption Everywhere TLS in transit, AES at rest
2. Data Flow Architecture ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA FLOW DIAGRAM β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
EXTERNAL
βββββββββββ βββββββββββββββββββ
β Client β β LLM Provider β
β App β β (OpenAI, etc.) β
ββββββ¬βββββ ββββββββββ²βββββββββ
β β
β HTTPS (TLS 1.3) HTTPS (TLS 1.3)
β β
ββββββββββͺβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββͺβββββββββ
β GATEWAY β
βΌ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ΄ββββββββ
β SECURITY LAYER β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β β TLS β β Auth β β Input β β Security β β Output β β
β βTerminationβ β Check β βValidationβ β Guards β β Filter β β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β GOVERNANCE LAYER β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
β β Policy β β Budget β β Feature β β Rate β β
β β Engine β β Check β βAllowlist β β Limiter β β
β ββββββββββββ ββββββββββββ ββββββββββββ ββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββββββββββββββββββββββββββͺββββββββββββββββββββββββββββββββββββββ
β
INTERNAL
β
βββββββββββββββββββββββββββββββΌββββββββββββββββββββββββββββββ
β β β
βΌ βΌ βΌ
βββββββββββ βββββββββββ βββββββββββ
β Redis β βPostgreSQLβ β Logs β
β (Cache) β β(Metadata)β β(Metrics)β
βββββββββββ βββββββββββ βββββββββββ
Data Type
Destination
Encrypted
Retained
Prompts/Messages
LLM Provider
Yes (TLS)
NO
LLM Responses
Client only
Yes (TLS)
NO
API Keys (hashed)
PostgreSQL
Yes (AES)
Yes
Usage Metadata
PostgreSQL
Yes (AES)
Yes
Rate Limit Counters
Redis
Yes (TLS)
Temporary
Audit Events
PostgreSQL
Yes (AES)
Configurable
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA STORED IN GATEWAY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β β
STORED (Encrypted) β
β ββββββββββββββββββββ β
β β’ API key hashes (SHA-256, salted) β
β β’ Organization/tenant metadata β
β β’ Application configurations β
β β’ Policy definitions β
β β’ Budget configurations and usage counters β
β β’ Feature allowlist definitions β
β β’ Audit log metadata: β
β - Timestamp β
β - Request ID β
β - App ID β
β - Model used β
β - Token counts β
β - Cost β
β - Decision outcome β
β - Latency β
β β
β β±οΈ TEMPORARY (Redis, TTL-based) β
β ββββββββββββββββββββββββββββββββ β
β β’ Rate limit counters (expires after window) β
β β’ Session tokens (configurable TTL) β
β β’ Cached policy decisions (short TTL) β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β DATA NOT STORED BY GATEWAY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β β NEVER STORED β
β ββββββββββββββ β
β β’ Prompt content / User messages β
β β’ LLM responses / Completions β
β β’ Conversation history β
β β’ Embeddings vectors β
β β’ File contents β
β β’ User personal data (beyond tenant metadata) β
β β’ LLM provider API keys (passed through only) β
β β
β The gateway is a PASS-THROUGH proxy for LLM content. β
β Content flows: Client β Gateway β LLM β Gateway β Client β
β Nothing is persisted in between. β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Data Type
Retention
Deletion
Audit logs
Tier-based (7-365 days)
Automatic
Usage metrics
90 days
Automatic
API keys
Until revoked
On request
Tenant data
Until deleted
On request
Rate limit data
Window duration
Automatic
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AUTHENTICATION FLOW β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Request
β
βΌ
βββββββββββ βββββββββββββββββββββββββββββββββββββββ
β X-API- ββββββΆβ 1. Extract API key from header β
β Key β β 2. Hash key with SHA-256 β
β Header β β 3. Lookup in database β
βββββββββββ β 4. Verify not expired/disabled β
β 5. Load tenant context β
βββββββββββββββββββββββββββββββββββββββ
β
ββββββββββββββββ΄βββββββββββββββ
β β
βΌ βΌ
ββββββββββββ ββββββββββββ
β VALID β β INVALID β
β 200 β β 401 β
ββββββββββββ ββββββββββββ
API Key Format: gw_<prefix>_<random_32_chars>
Storage: SHA-256(key + salt) - original never stored
Role
Permissions
viewerRead-only access to own resources
developerUse API, view usage
adminManage apps, policies, budgets
ownerFull tenant control
# All inputs validated against strict schemas
class SecurityChecks :
- Schema validation (Pydantic )
- Max token limits
- Max message count
- Content length limits
- Character encoding validation
Guard
Detection
Action
PII Detection Email, phone, SSN patterns
Block/Warn
Prompt Injection Jailbreak patterns
Block
Secret Detection API keys, passwords
Block
Sensitive Topics Configurable blocklist
Block/Warn
Instruction Leakage System prompt extraction
Block
Example detection patterns:
PII_PATTERNS = {
"email" : r"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}" ,
"phone" : r"\b\d{3}[-.]?\d{3}[-.]?\d{4}\b" ,
"ssn" : r"\b\d{3}-\d{2}-\d{4}\b" ,
}
INJECTION_PATTERNS = [
r"ignore previous instructions" ,
r"disregard all prior" ,
r"you are now" ,
r"new persona" ,
]# Minimum TLS 1.2, prefer TLS 1.3tls :
min_version : TLSv1.2
prefer_version : TLSv1.3
ciphers :
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256 βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β NETWORK ARCHITECTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
INTERNET DMZ PRIVATE
βββββββββ βββββββββ βββββββββββββ
β β β
β ββββββββββββββββ β β
ββββΆβ Load Balancerβ β β
β (WAF/DDoS) β β β
ββββββββ¬ββββββββ β β
β β β
ββββββββͺβββββββββββββͺβββββββββββββββββββββββββͺβββββ
β β β
β βββββββββΌββββββββ β
β β Gateway β β
β β Service β β
β βββββββββ¬ββββββββ β
β β β
ββββββββͺβββββββββββββͺβββββββββββββββββββββββββͺβββββ
β β β
β β βββββββββββββββββββββ
β βββββΆβ Redis / Postgres ββ
β β (Private only) ββ
β βββββββββββββββββββββ
β β
β ββββββββββββββββββββ β
βββββββββββββΆβ LLM Providers β β
β (Outbound only) β β
ββββββββββββββββββββ β
Firewall Rules:
- Inbound: HTTPS (443) only through LB
- Internal: Gateway β Redis (6379), PostgreSQL (5432)
- Outbound: Gateway β LLM APIs (443)
5.3 Rate Limiting & DDoS Protection
Layer
Protection
Edge (CDN/LB)
DDoS mitigation, WAF
Gateway
Per-key rate limits
Application
Concurrent connection limits
Connection
Encryption
Client β Gateway
TLS 1.3
Gateway β LLM Provider
TLS 1.3
Gateway β PostgreSQL
TLS 1.2+
Gateway β Redis
TLS 1.2+
Data
Encryption
PostgreSQL
AES-256 (RDS/Cloud SQL)
Redis
AES-256 (ElastiCache)
Backups
AES-256
API Keys
SHA-256 + Salt (hashed, not encrypted)
{
"event_id" : " evt_abc123" "timestamp" : " 2024-12-14T10:30:00Z" "event_type" : " llm_request" "app_id" : " app_xyz" "tenant_id" : " tenant_123" "request_id" : " req_456" "model" : " gpt-4o" "tokens" : {
"prompt" : 150 ,
"completion" : 200 ,
"total" : 350
},
"cost_usd" : 0.0105 ,
"latency_ms" : 1250 ,
"decision" : {
"outcome" : " allow" "checks_passed" : [" auth" " policy" " budget" " security" "ip_address" : " 192.168.1.100" "user_agent" : " MyApp/1.0" Note: Prompt content and LLM responses are NOT included in audit logs.
Standard
Status
Notes
SOC 2 Type II
In Progress
Expected Q2 2025
GDPR
Compliant
EU data residency available
CCPA
Compliant
Data deletion on request
HIPAA
Roadmap
Contact for BAA
Region
Available
Data Center
US
Yes
AWS us-east-1, us-west-2
EU
Yes
AWS eu-west-1, eu-central-1
APAC
Roadmap
AWS ap-southeast-1
8.1 Security Incident Classification
Severity
Description
Response Time
Critical
Data breach, system compromise
Immediate
High
Unauthorized access attempt
1 hour
Medium
Policy violation
4 hours
Low
Anomaly detected
24 hours
8.2 Incident Response Process 1. DETECT β Automated monitoring alerts
2. TRIAGE β Security team assessment
3. CONTAIN β Isolate affected systems
4. ERADICATE β Remove threat
5. RECOVER β Restore services
6. REVIEW β Post-incident analysis
9. Security Best Practices for Clients # DO: Use environment variables
import os
api_key = os .environ ["GATEWAY_API_KEY" ]
# DO: Rotate keys regularly
# Recommended: Every 90 days
# DON'T: Hardcode keys
api_key = "gw_xxx_hardcoded" # NEVER DO THIS
# DON'T: Commit keys to git
# Use .gitignore and secret managers # DO: Use HTTPS only
client = GatewayClient ("https://api.gateway.com" )
# DO: Validate responses
response = client .chat (...)
if response .status != "success" :
handle_error (response )
# DO: Implement retry with backoff
from tenacity import retry , wait_exponential
@retry (wait = wait_exponential (multiplier = 1 , max = 60 ))
def call_llm ():
return client .chat (...)# DO: Sanitize inputs before sending
def sanitize_prompt (text : str ) -> str :
# Remove potential PII
# Remove injection patterns
return cleaned_text
# DO: Use features/contracts
request = {
"contract" : {
"app_id" : "my-app" ,
"feature" : "customer-support" , # Tracked
"action" : "generate"
}
}The organization deploying the LLM Gateway is the data controller. Anthropic/OpenAI remain data processors for LLM inference.
Purpose
Legal Basis
Data
Authentication
Contract
API keys, tenant info
Authorization
Contract
Policies, permissions
Usage tracking
Legitimate interest
Metadata, costs
Security
Legitimate interest
IP, patterns
Right
Supported
How
Access
Yes
API or request
Rectification
Yes
Admin API
Erasure
Yes
Tenant deletion
Portability
Yes
Export API
Objection
N/A
No profiling
Provider
Purpose
Location
AWS/GCP/Azure
Infrastructure
Configurable
OpenAI
LLM inference
US
Anthropic
LLM inference
US
Datadog (optional)
Monitoring
US/EU