Back to blog

LLM Gateway Is Now SOC 2 Type II Compliant

LLM Gateway has successfully completed its SOC 2 Type II audit. Here's what that means, why it matters for teams routing LLM traffic through us, and how to request our report.

LLM Gateway SOC 2 Type II announcement

We're excited to announce that LLM Gateway is now SOC 2 Type II compliant. An independent auditor has examined our security controls — not just how they're designed, but how they operated in practice over an extended observation period — and verified that we meet the AICPA's Trust Services Criteria for security, availability, and confidentiality.

Your prompts, completions, and API keys flow through your gateway. That's a position of trust, and this report is third-party evidence that we treat it that way.

What is SOC 2?

SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) for assessing how service organizations protect customer data. An independent CPA firm audits the organization's controls against the Trust Services Criteria — covering areas like access control, change management, incident response, vendor management, and data protection.

There are two types of SOC 2 reports:

  • Type I evaluates whether your security controls are suitably designed at a single point in time.
  • Type II goes further: it verifies that those controls actually operated effectively over a sustained observation period, not just on the day of the audit.

Type II is the report enterprises ask for, because it demonstrates that security isn't a checkbox exercise — it's how the company runs day to day.

What this means for you

If you're routing production LLM traffic through LLM Gateway — or evaluating us against your security requirements — this gives you:

  • Independent verification. You don't have to take our word for how we handle your data. A third-party auditor has examined our controls in operation.
  • Faster security reviews. Instead of a months-long questionnaire cycle, your security team can review our SOC 2 Type II report and our trust center directly.
  • A shorter path to procurement. For many enterprises, a current SOC 2 Type II report is a hard requirement before any vendor touches production data. We now clear that bar.

This matters double for an LLM gateway: we sit between your application and every model provider you use. Centralizing that traffic is only a good idea if the layer in the middle holds itself to a higher standard than the integrations it replaces.

Security has always been part of the product

SOC 2 Type II formalizes practices that have been core to LLM Gateway from the start, and it complements the security features our customers already rely on:

  • Audit logs — tamper-evident trails of every config change, key rotation, and admin action, exportable for your own SOC 2 and HIPAA evidence.
  • Guardrails — prompt-injection detection, PII redaction, and content moderation at the gateway layer.
  • SSO/SAML and role-based access control for your team.
  • Per-project routing overrides — pin regulated workloads to specific regions and providers to keep your own compliance scope tight.
  • Open source — our core is AGPLv3 on GitHub, so you can inspect exactly how your data is handled.

How to get our SOC 2 report

Our trust center at security.llmgateway.io is the home for our security posture: certifications, policies, and subprocessors. You can request access to the full SOC 2 Type II report there.

Have a custom security questionnaire or specific compliance requirements? Contact us — our team is happy to work through them with you.

If you're ready to put LLM infrastructure in production with a partner that takes security as seriously as you do, check out our Enterprise page or get in touch.