Three gates between your prompt and the model.

Every request takes one path: inspected, routed by your residency policy, sealed in a tamper-evident ledger.

clientyour SDKinspectDLP scanrouteresidencysealledgerresponsestreamed
Inspect

Every request is read before a single token moves.

Sluis runs a deterministic DLP scan over the prompt: 60 built-in detectors for PII, PHI and secrets, including an EU national-ID pack that checksum-validates the BSN, PESEL, codice fiscale and nine more. Every match is classified and the request is tagged inside the EU, before anything is dispatched to a provider.

EU PII detectors
emailphone · E.164IBAN · mod-97NL BSN · 11-proefPL PESELIT codice fiscalecredit card · Luhn
Secret detectors
API keysAWS access keysPEM private keys
Person-name detection

Names are the hardest personal data to catch by pattern, so name detection is four layers you opt into: context heuristics, email correlation, a tenant name directory, and Sluis's own multilingual recognition model, which runs inside your deployment and never sends a name to a third party.

request.jsonDLP scan
IBANNL91 ABNA ●●●● ●●●● 28masked
NL BSN●●● ●●● ●●●masked
emailj●●●@●●●.nlmasked
API keysk-●●●…●●●blocked
modemaskblockallow-logpseudonymize

Work with personal data and secrets. The model never sees them.

Here's the mechanism: Sluis scans the prompt, swaps each PII value and secret for a stable token, and forwards only tokens to the model. At egress it restores the real values, even mid-stream, token by token, so the provider never sees them. The map lives in memory and is never persisted.

your appSluisgatejohn@acme.com«EMAIL_1»«EMAIL_1»masks PIImodel«EMAIL_1»«EMAIL_1»only sees tokenSluisgate«EMAIL_1»john@acme.comjohn@acme.comrestoresyour app
Route by residency

Declare where data may go. Sluis enforces it per request.

Map each data class to the regions and providers it's allowed to reach, with an explicit fallback chain. Sluis evaluates the policy on every call: no exceptions, no silent egress.

  • EU-sovereign by default

    Out of the box, requests reach only EU-owned providers such as Mistral and Scaleway, plus EU-region clouds. Direct US and Chinese providers are available too, off by default: allow them in policy and Sluis enforces that exact line.

  • Ownership, not just region

    Sluis flags every provider by jurisdiction and ownership (owner_is_eu = false) for CLOUD Act exposure, so a direct US or Chinese route will always be a choice you can see, never one made for you.

  • Hard blocks, not best-effort

    If no provider satisfies the policy, the request is denied at the gate and returned to your app with a clear reason code.

residency.policy · class: PHIenforced
requestFR · primaryFR · fallbackUS · allowedCN · blocked
EU · France
scaleway-fr · owner_is_eu=true
primary
EU · France
mistral-fr · owner_is_eu=true
fallback
US · East
openai-us · owner_is_eu=false
allowed · policy
CN · Hangzhou
deepseek-cn · owner_is_eu=false
blocked · policy
Seal in the ledger

A record an auditor will trust, because it proves its own integrity.

Each entry's hash is SHA-256 over the previous hash and the canonical row. Alter one field anywhere in the history and every link downstream breaks. Export the chain as JSON Lines and anyone can re-verify it offline.

audit.chain · last 4 entrieschain verified
14:22:07.118Z#4f9c2a e1b7d9 · scaleway-fr · PHIin-region
14:22:05.904Z#e1b7d9 7a3f10 · mistral-fr · PHIfallback
14:22:04.661Z#7a3f10 0c55ab · scaleway-fr · PIIin-region
14:22:02.330Z#0c55ab genesis · scaleway-fr · generalin-region
SHA-256 chainedtamper-evidentJSON Lines exportoffline verify-chain

Right to erasure (GDPR Art. 17) purges request content, cache and provider credentials, and preserves the metadata chain, so verify-chain still passes after the data is gone.

Tool calls get the same three gates.

When your agent reaches for a tool over MCP, that call runs the same path a prompt does: inspected, routed, sealed. Other MCP gateways log tool calls; Sluis proves where they ran.

Inspect the tool call

The same DLP pass scans tool arguments and tool results for PII, PHI and secrets before they cross to an MCP server, with the same mask, block or allow-log modes.

Route the tool egress

An MCP server is held to your residency policy like any provider: a tool egress outside your policy is blocked at the gate. A tool can't quietly carry your data somewhere you never allowed.

Seal it in the same ledger

The tool call and a hash of its arguments are chained into the same tamper-evident ledger as your model calls: one record, one verify-chain, prompts and tools alike.

The only MCP gateway where every tool invocation passes Inspect → Route → Seal, so "it stayed inside your policy" covers your tools, not just your prompts.

Built to stay out of the request's way.

Compliance can't cost you latency. The hot path is engineered so the controls run without ever blocking on a database, a lock, or a buffer.

Scale

Stateless by design

The data plane holds no per-request state, so you scale by adding replicas. The hot path never blocks on Postgres: keys, policies and the provider registry come from an in-process cache.

horizontal scaleno hot-path DB
Audit

Sealed off the hot path

Audit writes are async and batched. A background task appends the hash-chained rows, so the response never waits on the ledger.

async + batched
Streaming

Streamed, never buffered

SSE responses pass straight through via a tee. Tokens reach your app as they're generated, and the body is never fully held in memory.

SSE tee
Budgets

Spend that can't drift

Budgets are debited per request in real money. Lose Redis and spend reconciles from the durable audit ledger; if both are unreadable, the check fails closed.

micro-euro ledgerreconciledfails closed
Speed

Measured, not promised

The controls cost almost nothing, and you don't take it on faith: the benchmark harness is measured with the gate on.

+1 ms median overheadgate-on vs gate-offmeasured internallySee the benchmark →

Pay once for the same answer.

Turn on an exact-match and a semantic cache per tenant, both tenant-isolated and AEAD-encrypted at rest. A cost and latency win that never weakens residency: a hit is still your data, in your region.

exact-matchsemantic · pgvectorAEAD-encrypted at resttenant-isolatedopt-in

Built for the stack you already have.

OpenAI-compatible to the byte. Keep your SDK, your prompts, your tooling. Point one base_url at Sluis and add a residency header when you want to pin a class of traffic.

  • OpenAI-compatible API

    /v1/chat/completions, /v1/embeddings, /v1/models: same request shapes, same streaming. Nothing to rewrite.

  • Works with your existing SDKs

    Official OpenAI clients, LangChain, plain curl. No new library to learn, no proprietary protocol.

  • One base_url, one key

    Swap the endpoint and mint a virtual key in the console, each with its own model allow-list, rate limits and spend budget.

  • Observability built in

    Prometheus metrics and OTLP traces, labelled with jurisdiction, owner and decision, straight into your Grafana.

shelldrop-in
# Same API. One endpoint. You set the residency policy.
# eu-sovereign is the safe default; allow more deliberately.
$ curl https://api.sluis.ai/v1/chat/completions \
  -H "Authorization: Bearer $SLUIS_KEY" \
  -H "X-Sluis-Residency: eu-sovereign" \
  -d '{ "model": "mistral/mistral-large", "messages": [...] }'

# → mistral-large @ mistral-fr · in-region
# → sealed · #4f9c2a · streamed

See the lock work on your own traffic.

Your provider's list price plus a flat 10%. No seats, no minimums, no markup games. Your first 250K tokens are free, and no request ever leaves your residency policy.