Security and compliance, built for regulated AI.
RenLayer protects the data your agents touch and helps you meet GDPR, CCPA and the EU AI Act. Your data stays in Europe, or inside your own VPC, and every request is logged to a tamper-evident audit trail.
Get a free assessment
Designed to clear a security review.
Most AI tools ask you to send your prompts and responses to a US SaaS. RenLayer is built the other way around: data residency in Europe, deployment inside your trust boundary, encryption in transit, and the audit and retention controls a CISO and a DPO sign off on.
How we protect your data
EU data residency
Run as a managed service in an EU region or inside your own VPC. Your prompts and responses stay within the boundary your policies require.
GDPR, CCPA and EU AI Act ready
Structured audit trails on every request, configurable retention, and DLP that blocks or redacts personal data before it reaches a provider, aligned with AEPD guidance.
Encryption and mutual TLS
Traffic is encrypted in transit with mutual TLS and per-tenant certificates that are rotated regularly, so each tenant is cryptographically isolated.
Data minimization
In managed SaaS we keep a small request preview and cryptographic hashes, not full bodies. In Hybrid and on-prem modes, full bodies never leave your infrastructure.
Retention and the right to be forgotten
Set retention windows per data type with optional archival, and complete GDPR deletion requests by subject email within your configured window.
We do not train on your data
Your prompts, responses and findings are never used to train models, ours or anyone else's. They stay yours.
Everything the security committee asks, in one place.
The controls procurement and security run through before they approve, ready out of the box.
- SSO/OIDC and mandatory MFA for every console user
- Role-based access with least-privilege roles and guardrails
- API keys scoped to what an agent needs, with IP allowlists and rotation
- Per-key rate limits on requests, tokens and cost
- Tamper-evident audit log with SHA-256 chain verification
- 47+ DLP detectors for PII, secrets and credentials
- Signed DPAs and data processing in Europe
- An employee transparency portal for GDPR self-service
Security and privacy FAQ
Where is my data stored?
It depends on the deployment tier. In managed SaaS, RenLayer runs in an EU region and keeps a small request preview plus cryptographic hashes, not full bodies. In Hybrid mode, full bodies stay on your infrastructure and only metadata crosses the network. On-prem, nothing leaves your VPC.
Do you train on my prompts and responses?
No. Your prompts, responses, findings and audit data are never used to train any model. RenLayer processes them to enforce policy, run DLP and produce your audit trail, and nothing more.
Can RenLayer run fully on-premise?
Yes. RenLayer deploys as managed cloud, in an EU-resident region, in your own VPC, or fully on-premise, so the proxy sits inside the same trust boundary as the rest of your stack.
How do you help with the EU AI Act and the AEPD?
RenLayer gives you the evidence regulators ask for: a tamper-evident audit trail of every request, demonstrable control over which agents reach regulated data through the Activity Graph, DLP that blocks personal data before it leaves, and retention plus deletion aligned with GDPR and AEPD guidance.
Is the browser extension privacy-safe?
Yes. The Shadow AI browser extension shows a status icon, and an employee transparency portal lets each user see exactly what was captured about them, with GDPR-grade deletion. It is built for compliance, not surveillance.
Can we sign a DPA?
Yes. RenLayer signs Data Processing Agreements and processes data in Europe. The free assessment includes a walkthrough of DPAs, residency, retention and audit design with your security team.
Bring it to your security team.
Start with a free assessment. We walk your security and privacy reviewers through residency, DPAs, retention and the audit trail, against your own environment.
Get a free assessment