Architecture

How Gateco fits in your stack

Gateco sits between your AI application and your vector databases. It enforces policies, syncs identity, and logs every decision — without changing your vector DB or ingestion pipeline.

Multi-tenant SaaS — Standard RAG Security Deployment

The standard deployment. Gateco-hosted policy engine sits in the retrieval path, enforcing access before chunks reach your AI.

IDPAzure / Okta / AWS / GCPAI ApplicationYour productGateco Policy Enginedeny-by-defaultVector DBPinecone, pgvector…Audit Log25 event typesSIEMstreaming (Enterprise)principal syncquery + identityfiltered resultssearchraw chunksevery decision
  • Your AI application sends each query with a principal ID — resolved from your session or JWT.
  • Gateco resolves the principal's attributes from your IDP (roles, groups, department, clearance).
  • Policies evaluate against both the principal and each returned chunk's metadata — deny-by-default.
  • Every decision (allowed or denied) is written to the audit log before results are returned.
  • Your vector DB schema and ingestion pipeline are unchanged. Gateco only touches the read path.

Enterprise — Private Data Plane for AI Access Control

For enterprises requiring that connector credentials never leave their network. Gateco's policy engine runs inside your VPC. Waitlist open for Q3 2026.

Customer VPC / Private Data PlaneIDPAzure / Okta / AWS / GCPAI ApplicationYour productGateco Policy EnginePrivate Data PlaneVector DBPrivate endpointAudit LogCustomer-controlledSIEM / CSPMprincipal sync (TLS)query + identityfiltered resultssearchraw chunksevery decision
  • Policy engine deployed as a container in your VPC. No vector DB credentials leave your network.
  • Audit logs remain in your customer-controlled storage (S3, GCS, or Azure Blob).
  • IDP sync uses outbound TLS from Gateco to your identity provider — no inbound network openings required.
  • SIEM streaming connects from your audit log storage to your existing CSPM pipeline.

Multi-region — EU Data Residency

For organizations with EU AI Act or GDPR data residency requirements. EU tenant data — including policy evaluation and audit logs — stays in the EU region.

US RegionEU Region (data residency)AI Application(US tenants)Gateco (US)policy eval + auditVector DB (US)Audit Log (US)AI Application(EU tenants)Gateco (EU)EU policy eval + auditVector DB (EU)EU endpointAudit Log (EU)data stays in EUqueryresultssearchlogqueryresultssearchlogShared IDP sync (principal data replicated per-region)
  • US and EU Gateco instances are independently operated — no cross-region retrieval traffic.
  • EU tenant audit logs stay in the EU region and are never replicated to the US instance.
  • Principal data from shared IDPs is synced per-region — each instance maintains its own principal cache.
  • EU AI Act audit evidence is available as region-scoped export, never crossing the Atlantic.

Deployment model matrix

Choose the deployment that fits your security and data residency requirements.

ModelDescriptionEU ResidencyPrivate EndpointSelf-HostedAvailability
SaaS SharedGateco-hosted, multi-tenant. Policy evaluation and audit logs in Gateco infrastructure.All plans
SaaS DedicatedGateco-hosted, dedicated tenant namespace. Isolated compute and storage.Enterprise
Private Data PlaneGateco policy engine runs in your VPC. Your credentials never leave your network.Enterprise (waitlist)
Self-HostFull Gateco stack in your own infrastructure. No Gateco telemetry.Q3 2026 waitlist

Discuss your deployment

Enterprise deployments — Private Data Plane, VPC, multi-region EU — are scoped individually. Talk to us about your requirements.

Talk to usRead the docs