Data boundary
Prompts, responses, model files, traces, and operational logs are designed to stay inside customer-controlled infrastructure when Clustra is deployed to that boundary.
Security Posture
Private AI should inherit your controls.
Clustra is designed for environments where security teams need architectural control, evidence, reviewability, and customer-owned retention from the first deployment.
Controls security teams ask for.
The platform is shaped around the questions that decide whether private AI can move beyond a prototype: where data goes, who can access models, what gets logged, and who owns the evidence.
Identity integration
Access is designed to align with customer identity, groups, team boundaries, and role-based operating policies.
Access policy
Applications and agents reach models through one governed entry point where approved model access and rate policy can be enforced.
Audit trail
Model actions, gateway traffic, request traces, and operational changes create reviewable evidence for security and compliance teams.
Network isolation
Model frontends stay private behind the platform boundary instead of being exposed as separate public surfaces.
Secrets handling
Secrets are treated as runtime configuration owned by the customer environment, not public website configuration or hardcoded assets.
Security controls matrix.
A review should connect each control to an owner, evidence source, and deployment assumption. This matrix is representative; the pilot version is mapped to the customer's environment.
| Control | Clustra provides | Customer owns | Review evidence |
|---|---|---|---|
| Identity and SSO/RBAC | Maps users, teams, applications, and model access to the approved enterprise identity path. | Identity provider, group ownership, role approval, and production access decisions. | Access-policy map, reviewer owners, approved model list. |
| API keys and access policy | Centralizes gateway access, model routing, rate policy, and team attribution. | Key issuance process, consuming applications, revocation policy, and exception approvals. | Gateway policy, key status, route history, policy outcomes. |
| Secrets handling | Treats secrets as runtime configuration within the customer environment. | Secret store, rotation process, break-glass access, and audit owner. | Secret references, rotation owner, deployment change record. |
| Logs, traces, and retention | Produces request traces, usage attribution, audit events, and runtime health signals. | Retention target, log access policy, review cadence, and legal hold requirements. | Trace sample, audit event sample, retention mapping. |
| Redaction and output handling | Supports review of policy outcomes such as allowed, redacted, masked, or blocked. | Sensitive-data rules, application handling, and reviewer signoff. | Policy outcome, redaction event, application owner. |
| Network isolation | Keeps model frontends behind the gateway and maps the approved consumer-to-runtime path. | Network zones, ingress path, firewall rules, and incident handoff. | Network path notes, gateway boundary, health and incident signals. |
What stays in your environment
The operational evidence stays where your policies apply.
Customer prompts and uploaded documents
Model responses and generated artifacts
Model files and cache inventory
Request traces, sessions, and audit history
Usage attribution and team-level activity
Infrastructure metrics and readiness signals
Access policy, secrets, and runtime configuration
Security logs and retention-controlled evidence
What security can review
A practical checklist for architecture review.
- Environment boundary and network path
- Identity, SSO, and role mapping
- Approved model access policy
- Audit log ownership and retention
- Secrets storage and rotation process
- Redaction and output handling requirements
- Operational monitoring and alerting signals
- Deployment change history
- Incident response handoff points
Give security a reviewable architecture.
We will map the data boundary, access model, audit story, and operating evidence before a pilot runs.