> ## Documentation Index
> Fetch the complete documentation index at: https://docs.llmgrid.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security & Compliance

> Understand the security, compliance, and governance features available in LLMGrid and how they are managed.

## Overview

LLMGrid is designed with security and compliance as first‑class concerns. The platform provides a layered security model that combines **access control**, **data protection**, **policy enforcement**, and **auditability** to support enterprise and regulated environments.

Security and compliance controls are centrally managed through the UI and enforced consistently across models, agents, tools, and workflows.

***

## Identity & Access Control

### Virtual Keys (API Keys)

LLMGrid uses **Virtual Keys** to authenticate and authorize API access.

Key capabilities:

* Secure API authentication using bearer tokens
* Fine‑grained scoping by models, routes, teams, and quotas
* Key rotation and revocation without application downtime

Virtual Keys act as the primary boundary for external access.

***

### Internal Users & Roles

The **Internal Users** section allows administrators to manage console access.

Features include:

* Role‑based access control (admin, operator, viewer)
* Scoped permissions across teams and organizations
* Separation between internal users and end‑user identities

***

## Network & Transport Security

* All traffic is secured using HTTPS
* API keys are never exposed in plaintext after creation
* Sensitive connection details (keys, secrets) are masked and securely stored

***

## Data Protection & Privacy

### Guardrails

**Guardrails** enforce safety, privacy, and compliance policies across requests.

Supported capabilities:

* Input and output inspection
* Policy‑based blocking or enforcement
* PII detection and redaction
* Tool and MCP safety validation

Guardrails can run at multiple stages:

* Before model calls
* After responses
* During execution
* Tool invocation (`pre_mcp_call`)
* Logging‑only auditing mode

***

### Prompt & Output Controls

* Prompts can be standardized and versioned
* Guardrails ensure outputs comply with organizational policies
* Unsafe or disallowed content can be blocked or logged automatically

***

## Usage Controls & Abuse Prevention

### Rate Limits

LLMGrid enforces request and token limits through:

* Virtual Keys
* Teams and organizations
* Budgets and routing controls

This protects against misuse, abuse, and accidental traffic spikes.

***

### Budgets & Spend Controls

Budgets allow administrators to:

* Set maximum usage thresholds
* Apply limits per user, key, or tag
* Prevent unbounded usage

Budgets integrate with usage tracking and analytics for real‑time enforcement.

***

## Observability & Auditability

### Logs

LLMGrid provides detailed logs for:

* Request and response metadata
* Model usage and routing decisions
* Guardrail enforcement events
* Tool and vector store usage

Logs support troubleshooting, incident response, and audits.

***

### Usage & Cost Tracking

Usage metrics include:

* Request counts
* Token consumption
* Cost attribution

These metrics can be filtered by:

* Key
* Team
* Organization
* Tag
* Model

***

## Compliance‑Oriented Features

LLMGrid is designed to support common compliance requirements through configuration rather than custom code.

### Key Compliance Capabilities

* Centralized policy enforcement via Guardrails
* Least‑privilege access through scoped keys and roles
* Full audit trails through logs and usage data
* Controlled data access using vector stores and tools
* No hard dependency on a single provider

***

## Secure Tool & Integration Management

### MCP Servers & Search Tools

* Tools are registered and authenticated centrally
* Access can be restricted by key, team, or guardrail
* Tool calls are logged and auditable
* Pre‑execution guardrails prevent unsafe tool usage

***

### Vector Stores

* Vector stores are referenced by ID only
* Credentials are managed securely
* Access is controlled through workflows and agents
* Testing tools validate connectivity without exposing data

***

## Operational Security Best Practices

* Rotate API keys regularly
* Minimize always‑on guardrails to well‑tested policies
* Use scoped guardrails and budgets for experimentation
* Limit tool and vector store access to trusted workflows
* Review logs and usage metrics regularly
* Separate non‑production and production environments

***

## Shared Responsibility Model

LLMGrid provides the tooling required to build secure systems, while customers remain responsible for:

* Application‑level data handling
* Regulatory assessments
* Prompt design and usage patterns

LLMGrid enables strong defaults, transparent controls, and auditable behavior to support compliance needs.

***

## Related Sections

* **Guardrails** – Enforce safety and compliance policies
* **Virtual Keys** – Control access and authentication
* **Internal Users** – Manage admin and operator access
* **Budgets** – Enforce usage limits
* **Usage & Logs** – Audit activity and behavior
* **Router Settings** – Apply controlled routing and fallback
