Managed multi-tenant
The standard offering — shared, RLS-isolated infrastructure on Google Cloud Run + Supabase. Live in minutes; US default region, EU residency on Enterprise.
Dedicated tenancy, VPC and private networking, BYO provider contracts, SSO/SAML, audit logs, residency pinning, a named CSM — and the paperwork published before the first call.
SOC 2 controls · GDPR · HIPAA BAA · ISO 27001-aligned
SSO, audit logs, guardrails, and RBAC are not an upsell. They ship to every customer from day one. Enterprise adds deployment, contract, residency, and support depth on top.
Usage/latency/cost routing across 97+ models, fallback chains, and per-org retry, timeout, and cooldown tuning.
SAML 2.0 and OIDC against Okta, Azure AD, Google Workspace, or any compatible IdP — with SCIM provisioning and IdP-enforced MFA.
Append-only trail of every key, guardrail, budget, and team change — actor, timestamp, source IP, payload diff. CSV/JSON export for SIEM.
PII redaction (Microsoft Presidio), prompt-injection detection, and keyword & regex content filtering — scoped org > team > key, on every plan.
Org → team → member hierarchy with four roles, enforced by Postgres Row-Level Security — not application checks alone.
Your logo, your colors, your domain via CNAME — a branded key portal for downstream users, Nemo branding removed.
Most teams run on the managed multi-tenant gateway. Regulated organizations can run dedicated, in their own VPC, or — on the roadmap — fully air-gapped. We are precise about what is GA today and what is a scoped engagement.
The standard offering — shared, RLS-isolated infrastructure on Google Cloud Run + Supabase. Live in minutes; US default region, EU residency on Enterprise.
A single-tenant deployment in an isolated project — your own database, your own routing engine, dedicated capacity reservations, and a region pinned at provision time. No noisy-neighbor surface at all.
Nemo Router deployed inside your GCP, AWS, or Azure account so prompts and keys never leave your network perimeter. You own the data plane; we operate the control plane.
Fully air-gapped, self-hosted Nemo Router for regulated environments. On the roadmap, not generally available — we will be candid about timelines on a call.
Dedicated, VPC, and on-premise deployments are scoped engagement-by-engagement. Talk to sales and we will design the topology with your cloud team — no over-promised timelines.
The standard managed product is intentionally no-BYOK — you never touch a provider key. For Enterprise customers with existing committed-spend contracts — an Azure OpenAI PTU pool, a Vertex GSU reservation, a Bedrock provisioned-throughput commitment — Nemo Router routes through that capacity while your pricing and your provider relationship stay yours.
Your contract
Azure PTU · Vertex GSU · Bedrock PT
Committed spend, your pricing, your provider relationship
Nemo enterprise layer
Routing · guardrails · governance
Credit reserve+settle, audit trail, RBAC on top of your capacity
Your teams
One key, one bill
sk-nemo-… virtual keys — no provider key ever handled
TLS 1.2+ is the baseline on every plan. Enterprise adds IP allowlisting, private connectivity, and a residency pin — customer data is replicated within a single region and never moved without an explicit migration request.
The baseline on every plan — no configuration required.
Restrict dashboard and API access to your corporate egress ranges. Enterprise — configured during onboarding.
AWS PrivateLink, GCP Private Service Connect, or Azure Private Endpoint — traffic never traverses the public internet. Enterprise / dedicated tenancy.
Need a region not listed? Most major cloud regions can be supported on a dedicated deployment — ask sales.
We state precisely where each framework stands — achieved, in progress, or available on request. We never imply a certification Nemo Router does not hold.
Nemo Router operates SOC 2-aligned security, availability, and confidentiality controls today — encryption, access control, change management, audit logging, tenant isolation. A formal SOC 2 Type II observation period is underway; the audited report is targeted for Q3 2026. Our infrastructure substrate (Google Cloud Run, Supabase) is already SOC 2 Type II certified.
Controls walkthroughInformation security management practices aligned to ISO/IEC 27001 Annex A controls — asset management, access control, cryptography, operations security, supplier relationships. A formal ISO 27001 certification is on the roadmap; the infrastructure substrate (Cloud Run, Supabase) is independently ISO 27001 certified.
Controls walkthroughCompliant with the EU General Data Protection Regulation. Data Processing Addendum available for signature, EU Standard Contractual Clauses with subprocessors, data-subject access and erasure tooling built into the dashboard, and EU data residency available on Enterprise.
Read the DPANemo Router supports HIPAA-eligible workloads. A Business Associate Agreement (BAA) is available for healthcare customers processing protected health information — request one through the Enterprise team. PII redaction guardrails run on every request at no extra cost.
Request a BAANemo Router never touches raw cardholder data. All payments are processed by Stripe, a PCI DSS Level 1 certified service provider; card numbers are tokenized client-side and never reach our servers or database. Your PCI scope for using Nemo Router is therefore minimal.
How payments workPin where customer data is processed and stored. US is the default footprint; EU residency is generally available on Enterprise, with UK, Canada, Australia, Singapore, and India available on request for residency-sensitive workloads.
Residency mapFull controls detail in the Security overview and the trust center. Vendor questionnaires: security@nemorouter.ai.
No back-and-forth chasing documents. The DPA and SLA are published and linkable. The MSA and a HIPAA BAA are issued on request through the Enterprise team.
Enterprise engagements come with people: an onboarding engineer, a migration plan, a security review, and a named CSM who knows your deployment — not a rotating inbox.
A dedicated onboarding engineer configures SSO, routing, guardrail policy, and budgets — most deployments production-ready inside two weeks.
We map your existing model groups, fallback logic, and spend controls onto Nemo Router so the cutover is a base-URL change.
A controls walkthrough, the completed vendor questionnaire, and a deployment review before go-live — auditor on the call welcome.
One accountable contact who knows your deployment — private Slack/Teams channel, quarterly business reviews, priority incident response.
Tiers 1–3 are transparently priced and self-serve. Enterprise is custom-quoted for large deals: dedicated capacity, custom contracts, residency pins, and a named CSM.
| Self-serve (Tier 1–3) | Enterprise | |
|---|---|---|
| Platform fee | 2–4%2–4% | 0%0% |
| Deployment | Managed multi-tenantManaged multi-tenant | Managed, dedicated, or VPCManaged, dedicated, or VPC |
| Data residency | USUS | US, EU + on requestUS, EU + on request |
| Support | Email + communityEmail + community | Named CSM + private channelNamed CSM + private channel |
| Contracts | Standard ToS + DPAStandard ToS + DPA | MSA, BAA, custom termsMSA, BAA, custom terms |
| Onboarding | Self-serveSelf-serve | Guided — engineer-ledGuided — engineer-led |
Large deal — committed volume above roughly $10K/month, a residency pin, or a custom contract? That is an Enterprise conversation.
Self-serve features — SSO, audit logs, guardrails, RBAC, custom branding — are included on every tier at no extra cost. Enterprise is for teams that need dedicated capacity, dedicated or VPC deployment, a named CSM, custom contracts, or a residency pin. It is custom-priced based on volume; talk to sales to scope it.
Managed multi-tenant is generally available and the default. Dedicated single-tenant deployments and VPC / BYO-cloud deployments are Enterprise engagements scoped with your cloud team. Fully air-gapped on-premise is on the roadmap, not GA — we will be candid about timelines on a call rather than over-promising.
The standard managed product is intentionally no-BYOK — you never handle a provider key. For Enterprise customers with existing committed-spend contracts (Azure OpenAI PTU, Vertex GSU, Bedrock provisioned throughput), Nemo Router can route through that capacity on a dedicated deployment, with your provider pricing preserved. This is an Enterprise-only capability — talk to us about your existing commitments.
United States is the default footprint. EU residency is generally available on Enterprise. UK, Canada, Australia, Singapore, and India are available on request for residency-sensitive workloads. Customer data is replicated within a single region and never moved without an explicit migration request.
The Data Processing Addendum (DPA) and SLA are published and linkable directly. The MSA and a HIPAA BAA are provided on request through the Enterprise team. Nemo Router operates SOC 2-aligned and ISO 27001-aligned controls; a formal SOC 2 Type II audit is in progress with a Q3 2026 target. Enterprise customers can request a controls walkthrough or a completed vendor security questionnaire from security@nemorouter.ai.
A 99.9% uptime SLA applies on every tier; Enterprise adds priority incident response, a named Customer Success Manager, a private support channel, and quarterly business reviews. We monitor every provider endpoint and fail over automatically when an issue is detected.
We walk your team through deployment options, the controls, and the DPA — typically scoped within days, live within two weeks. Auditors welcome on the call.
SOC 2 Type II audit in progress (target Q3 2026) · GDPR-compliant · HIPAA BAA available · ISO 27001-aligned controls