Security & Compliance Whitepaper

How LangMart protects your data and keeps your AI applications secure

Last Updated: November 2025
Version 1.0

Table of Contents

1. Security Architecture2. Data Protection3. KeyVault: API Key Protection4. Request Logging5. Compliance Framework6. Self-Hosted Option

1. Security Architecture

LangMart provides three deployment options, each with different security characteristics:

Control Plane Gateway

Central registry connecting providers and users. Handles authentication and routing.

Managed Gateway

Hosted service where we manage infrastructure. Your data is encrypted at rest and in transit.

Private Gateway

Self-hosted on your infrastructure. Your data never leaves your network.

What This Means for You

  • All data is encrypted using industry-standard encryption (TLS 1.3)
  • Your API keys are never exposed to LLM providers
  • Choose Private Gateway for complete data isolation

2. Data Protection & Privacy

How We Protect Your Data

Encryption

All data is encrypted both when stored and when transmitted over the internet.

✓ Data in transit: TLS 1.3
✓ Data at rest: AES-256 encryption

Data Retention

You control how long we keep your data. Options include:

  • 30 days (default) - Automatic deletion after 30 days
  • 90 days - For compliance requirements
  • Custom - Enterprise plans can set custom retention
  • Zero retention - Private Gateway (self-hosted)

Data Location

Our servers are located in secure data centers. Enterprise customers can choose specific regions for data residency.

Your Rights

  • Access your data - Download all your data anytime
  • Delete your data - Request permanent deletion anytime
  • Correct your data - Update any inaccurate information
  • Export your data - Get a copy in standard format

3. KeyVault: Automatic API Key Protection

KeyVault is our unique security feature that automatically protects your API keys from being exposed to LLM providers.

How It Works

1

Detection

When you send a message containing an API key, KeyVault automatically detects it

2

Redaction

The real key is replaced with a safe placeholder before sending to the LLM provider

3

Restoration

When you receive the response, the placeholder is replaced with your real key

Supported Providers

OpenAI
Anthropic
Google
Groq
DeepSeek
xAI

Why This Matters

  • Prevents accidental exposure of API keys in prompts
  • LLM providers never see your real API keys
  • Works automatically - no configuration needed
  • You see the real key in responses - completely transparent to you

4. Request Logging & Observability

Every API request and response is automatically logged, giving you complete visibility into your LLM usage.

What Gets Logged

Request Information

  • • Model used
  • • Prompt sent
  • • Parameters (temperature, etc.)
  • • Timestamp
  • • User who made the request

Response Information

  • • Complete response
  • • Tokens used
  • • Response time
  • • Success/error status
  • • Cost estimate

Using Your Logs

Search & Filter

Find specific requests by time range, status, user, model, or error type.

Export

Download your logs in CSV or JSON format for analysis in your own tools.

Analytics

View trends, identify issues, optimize costs, and understand usage patterns.

Privacy & Security

  • API keys are automatically redacted in logs (via KeyVault)
  • Logs are encrypted at rest
  • Only you can access your logs
  • Logs respect your data retention settings

5. Compliance Framework

LangMart is committed to meeting enterprise security and compliance standards.

GDPR Compliant

Complete

Full compliance with EU General Data Protection Regulation. We respect your data rights and privacy.

Data Protection Officer (DPO) appointed
Data Processing Agreement (DPA) available
Right to access, delete, and export your data

SOC 2 Type 2

In Progress

Comprehensive third-party security audit covering security, availability, and confidentiality.

Target completion: Q2 2026

HIPAA Ready

Roadmap

Support for healthcare applications with Business Associate Agreement (BAA).

Target completion: Q3 2026

Enterprise Compliance Features

  • Audit Logs - Track all administrative actions and data access
  • Data Residency - Choose where your data is stored
  • Access Controls - Role-based permissions and SSO
  • Data Agreements - DPA and BAA available

6. Self-Hosted Private Gateway

For maximum security and control, deploy LangMart on your own infrastructure with the Private Gateway.

Security Benefits

Complete Data Isolation

Your prompts and responses never leave your network. Perfect for sensitive or proprietary data.

Zero Platform Fees

No 3% markup on API calls. Pay only your provider costs.

Full Control

Open source code. Run it anywhere - Docker, Kubernetes, or bare metal.

Compliance Ready

Meets strictest compliance requirements for healthcare, finance, and government.

How It Works

  1. 1. Install - Deploy the Private Gateway on your servers
  2. 2. Configure - Add your LLM provider API keys
  3. 3. Connect - The gateway registers with LangMart registry
  4. 4. Use - Make API calls to your gateway instead of directly to providers

Perfect For

  • Companies with strict data residency requirements
  • Healthcare and financial services
  • Government and defense contractors
  • Any organization that needs complete control over their data

Questions About Security?

Our security team is here to help. Contact us for security questionnaires, compliance documentation, or to discuss your specific requirements.