Three gates between your prompt and the model.
Every request takes one path: inspected, routed by your residency policy, sealed in a tamper-evident ledger.
Every request is read before a single token moves.
Sluis runs a deterministic DLP scan over the prompt: 60 built-in detectors for PII, PHI and secrets, including an EU national-ID pack that checksum-validates the BSN, PESEL, codice fiscale and nine more. Every match is classified and the request is tagged inside the EU, before anything is dispatched to a provider.
Names are the hardest personal data to catch by pattern, so name detection is four layers you opt into: context heuristics, email correlation, a tenant name directory, and Sluis's own multilingual recognition model, which runs inside your deployment and never sends a name to a third party.
Work with personal data and secrets. The model never sees them.
Here's the mechanism: Sluis scans the prompt, swaps each PII value and secret for a stable token, and forwards only tokens to the model. At egress it restores the real values, even mid-stream, token by token, so the provider never sees them. The map lives in memory and is never persisted.
Declare where data may go. Sluis enforces it per request.
Map each data class to the regions and providers it's allowed to reach, with an explicit fallback chain. Sluis evaluates the policy on every call: no exceptions, no silent egress.
EU-sovereign by default
Out of the box, requests reach only EU-owned providers such as Mistral and Scaleway, plus EU-region clouds. Direct US and Chinese providers are available too, off by default: allow them in policy and Sluis enforces that exact line.
Ownership, not just region
Sluis flags every provider by jurisdiction and ownership (owner_is_eu = false) for CLOUD Act exposure, so a direct US or Chinese route will always be a choice you can see, never one made for you.
Hard blocks, not best-effort
If no provider satisfies the policy, the request is denied at the gate and returned to your app with a clear reason code.
A record an auditor will trust, because it proves its own integrity.
Each entry's hash is SHA-256 over the previous hash and the canonical row. Alter one field anywhere in the history and every link downstream breaks. Export the chain as JSON Lines and anyone can re-verify it offline.
Right to erasure (GDPR Art. 17) purges request content, cache and provider credentials, and preserves the metadata chain, so verify-chain still passes after the data is gone.
Tool calls get the same three gates.
When your agent reaches for a tool over MCP, that call runs the same path a prompt does: inspected, routed, sealed. Other MCP gateways log tool calls; Sluis proves where they ran.
Inspect the tool call
The same DLP pass scans tool arguments and tool results for PII, PHI and secrets before they cross to an MCP server, with the same mask, block or allow-log modes.
Route the tool egress
An MCP server is held to your residency policy like any provider: a tool egress outside your policy is blocked at the gate. A tool can't quietly carry your data somewhere you never allowed.
Seal it in the same ledger
The tool call and a hash of its arguments are chained into the same tamper-evident ledger as your model calls: one record, one verify-chain, prompts and tools alike.
The only MCP gateway where every tool invocation passes Inspect → Route → Seal, so "it stayed inside your policy" covers your tools, not just your prompts.
Built to stay out of the request's way.
Compliance can't cost you latency. The hot path is engineered so the controls run without ever blocking on a database, a lock, or a buffer.
Stateless by design
The data plane holds no per-request state, so you scale by adding replicas. The hot path never blocks on Postgres: keys, policies and the provider registry come from an in-process cache.
Sealed off the hot path
Audit writes are async and batched. A background task appends the hash-chained rows, so the response never waits on the ledger.
Streamed, never buffered
SSE responses pass straight through via a tee. Tokens reach your app as they're generated, and the body is never fully held in memory.
Spend that can't drift
Budgets are debited per request in real money. Lose Redis and spend reconciles from the durable audit ledger; if both are unreadable, the check fails closed.
Measured, not promised
The controls cost almost nothing, and you don't take it on faith: the benchmark harness is measured with the gate on.
Pay once for the same answer.
Turn on an exact-match and a semantic cache per tenant, both tenant-isolated and AEAD-encrypted at rest. A cost and latency win that never weakens residency: a hit is still your data, in your region.
Built for the stack you already have.
OpenAI-compatible to the byte. Keep your SDK, your prompts, your tooling. Point one base_url at Sluis and add a residency header when you want to pin a class of traffic.
OpenAI-compatible API
/v1/chat/completions, /v1/embeddings, /v1/models: same request shapes, same streaming. Nothing to rewrite.
Works with your existing SDKs
Official OpenAI clients, LangChain, plain curl. No new library to learn, no proprietary protocol.
One base_url, one key
Swap the endpoint and mint a virtual key in the console, each with its own model allow-list, rate limits and spend budget.
Observability built in
Prometheus metrics and OTLP traces, labelled with jurisdiction, owner and decision, straight into your Grafana.
# Same API. One endpoint. You set the residency policy. # eu-sovereign is the safe default; allow more deliberately. $ curl https://api.sluis.ai/v1/chat/completions \ -H "Authorization: Bearer $SLUIS_KEY" \ -H "X-Sluis-Residency: eu-sovereign" \ -d '{ "model": "mistral/mistral-large", "messages": [...] }' # → mistral-large @ mistral-fr · in-region # → sealed · #4f9c2a · streamed
See the lock work on your own traffic.
Your provider's list price plus a flat 10%. No seats, no minimums, no markup games. Your first 250K tokens are free, and no request ever leaves your residency policy.