Dedicated tenancy, VPC and private networking, BYO provider contracts, SSO/SAML, audit logs, residency pinning, a named CSM, and procurement-ready legal artifacts — deployed with confidence at scale.
What Enterprise includes
No markup on inference
Same SLA every tier
US + EU GA, more on request
SSO, security review, DPA
SSO, audit logs, guardrails, and RBAC are not an upsell. They ship to every customer from day one. Enterprise adds deployment, contract, residency, and support depth on top.
Production resilience across 20+ models — usage/latency/cost routing, fallback chains, and per-org retry, timeout, and cooldown tuning.
Single Sign-On for your whole org. SAML 2.0 and OIDC against Okta, Azure AD, Google Workspace, OneLogin, or any compatible IdP — with SCIM provisioning.
Append-only audit trail of every key, guardrail, budget, and team change — actor, timestamp, source IP, and payload diff — exportable for compliance reviews.
PII redaction, prompt-injection detection, secret scanning, abuse blocking, and response scanning run on every request — included on every plan, scoped org > team > key.
Org → team → member hierarchy with Owner, Admin, Member, and Viewer roles enforced by Postgres Row-Level Security — not by application checks alone.
Brand the dashboard for your teams and downstream customers — your logo, your colors, your domain via CNAME, Nemo branding removed.
Most teams run on the managed multi-tenant gateway. Regulated and security-sensitive organizations can run dedicated, in their own VPC, or — on the roadmap — fully air-gapped. We are precise about what is GA today and what is a scoped engagement.
The standard NemoRouter offering. Your org runs on shared, RLS-isolated infrastructure on Google Cloud Run + Supabase. Zero-config — sign up, buy credits, call the API.
A single-tenant NemoRouter deployment in an isolated project — your own database, your own routing engine, your own region pin. No noisy-neighbor surface at all.
NemoRouter deployed inside your cloud account (GCP, AWS, or Azure) so prompts and keys never leave your network perimeter. Scoped as an Enterprise engagement.
Fully air-gapped, self-hosted NemoRouter for regulated environments. This is on the roadmap, not generally available — we will be candid about timelines on a call.
Dedicated, VPC, and on-premise deployments are scoped engagement-by-engagement. Talk to sales and we will design the topology with your cloud team — no over-promised timelines.
When shared infrastructure is not an option, the Dedicated tenancy SKU gives you an isolated NemoRouter deployment — your own database, your own routing engine, your own region — with no noisy-neighbor surface.
Enterprise SKU
Managed multi-tenant already isolates every org with Postgres Row-Level Security. Dedicated tenancy goes further: a separate project, a separate database, a separate routing engine, and dedicated capacity reservations so throughput is predictable under your peak load.
Single-tenant footprint
The standard managed product is intentionally no-BYOK — you never touch a provider key. For Enterprise customers with existing committed-spend contracts, NemoRouter can route through that capacity while preserving your pricing and your provider relationship.
Enterprise-only capability
TLS 1.2+ is the baseline on every plan. Enterprise adds IP allowlisting and private connectivity — PrivateLink, Private Service Connect, or Azure Private Endpoint — scoped to your network with our team.
Every public endpoint enforces TLS 1.2+ with HSTS preload on the apex domain. This is the baseline on every plan — no configuration required.
Restrict dashboard and API access to your corporate egress ranges. Available on Enterprise — configured during onboarding with your network team.
Reach NemoRouter over a private connection — AWS PrivateLink, GCP Private Service Connect, or Azure Private Endpoint — so traffic never traverses the public internet. Available on Enterprise / dedicated tenancy; contact sales to scope.
United States is the default footprint. EU residency is generally available on Enterprise. UK, Canada, Australia, Singapore, and India are available on request for residency-sensitive workloads — customer data is replicated within a single region and never moved without an explicit migration request.
Need a region not listed? Ask sales — most major cloud regions can be supported on a dedicated deployment.
We state precisely where each framework stands — achieved, in progress, or available on request. We never imply a certification NemoRouter does not hold.
NemoRouter operates SOC 2-aligned security, availability, and confidentiality controls today — encryption, access control, change management, audit logging, tenant isolation. A formal SOC 2 Type II observation period is underway; the audited report is targeted for Q3 2026. Our infrastructure substrate (Google Cloud Run, Supabase) is already SOC 2 Type II certified.
Controls walkthroughInformation security management practices aligned to ISO/IEC 27001 Annex A controls — asset management, access control, cryptography, operations security, supplier relationships. A formal ISO 27001 certification is on the roadmap; the infrastructure substrate (Cloud Run, Supabase) is independently ISO 27001 certified.
Controls walkthroughCompliant with the EU General Data Protection Regulation. Data Processing Addendum available for signature, EU Standard Contractual Clauses with subprocessors, data-subject access and erasure tooling built into the dashboard, and EU data residency available on Enterprise.
Read the DPANemoRouter supports HIPAA-eligible workloads. A Business Associate Agreement (BAA) is available for healthcare customers processing protected health information — request one through the Enterprise team. PII redaction guardrails run on every request at no extra cost.
Request a BAANemoRouter never touches raw cardholder data. All payments are processed by Stripe, a PCI DSS Level 1 certified service provider; card numbers are tokenized client-side and never reach our servers or database. Your PCI scope for using NemoRouter is therefore minimal.
How payments workPin where customer data is processed and stored. US is the default footprint; EU residency is generally available on Enterprise, with UK, Canada, Australia, Singapore, and India available on request for residency-sensitive workloads.
Residency mapFull controls detail in the Security overview and the trust center.
No back-and-forth chasing documents. The DPA and SLA are published and linkable. The MSA and a HIPAA BAA are issued on request through the Enterprise team.
Data Processing Addendum
PublishedGDPR Art. 28 processor terms with EU SCCs. Read it now, sign at contract.
Service Level Agreement
PublishedThe 99.9% uptime commitment, credits, and exclusions.
Master Service Agreement
On requestIssued by the Enterprise team — redlines welcome. Email sales to request a copy.
Business Associate Agreement
On requestFor HIPAA-eligible workloads. Request one through the Enterprise team.
Running a vendor security review? Email security@nemorouter.ai for a completed security questionnaire and a controls walkthrough.
Enterprise engagements come with people. An onboarding engineer configures the deployment, a migration plan maps your existing setup, and a security review clears the path to go-live.
A dedicated onboarding engineer configures SSO, provider routing, guardrail policy, and budgets with your team. Most enterprise deployments are production-ready inside two weeks.
Moving off OpenRouter, a direct provider, or a self-hosted gateway? We map your existing model groups, fallback logic, and spend controls onto NemoRouter so the cutover is a base-URL change.
We walk your security team through the controls, answer the vendor questionnaire, and review the deployment architecture before go-live — auditor on the call welcome.
Enterprise is not a ticket queue. You get a named Customer Success Manager — a single accountable contact who knows your routing config, your spend pattern, and your roadmap.
Included on Enterprise
Your CSM runs onboarding, joins quarterly business reviews, surfaces cost-optimization opportunities before they show up on an invoice, and is the escalation path when something needs a human in minutes — not a queue position.
Your success plan
Tiers 1–3 are transparently priced and self-serve — start in minutes on the pricing page. Enterprise is custom-quoted for large deals: dedicated capacity, custom contracts, residency pins, and a named CSM.
| Self-serve (Tier 1–3) | Enterprise | |
|---|---|---|
| Platform fee | 2–4%2–4% | 0%0% |
| Deployment | Managed multi-tenantManaged multi-tenant | Managed, dedicated, or VPCManaged, dedicated, or VPC |
| Data residency | USUS | US, EU + on requestUS, EU + on request |
| Support | Email + communityEmail + community | Named CSM + private channelNamed CSM + private channel |
| Contracts | Standard ToS + DPAStandard ToS + DPA | MSA, BAA, custom termsMSA, BAA, custom terms |
| Onboarding | Self-serveSelf-serve | Guided — engineer-ledGuided — engineer-led |
Large deal — committed volume above roughly $10K/month, a residency pin, or a custom contract? That is an Enterprise conversation.
Self-serve features — SSO, audit logs, guardrails, RBAC, custom branding — are included on every tier at no extra cost. Enterprise is for teams that need dedicated capacity, dedicated or VPC deployment, a named CSM, custom contracts, or a residency pin. It is custom-priced based on volume; talk to sales to scope it.
Managed multi-tenant is generally available and the default. Dedicated single-tenant deployments and VPC / BYO-cloud deployments are Enterprise engagements scoped with your cloud team. Fully air-gapped on-premise is on the roadmap, not GA — we will be candid about timelines on a call rather than over-promising.
The standard managed product is intentionally no-BYOK — you never handle a provider key. For Enterprise customers with existing committed-spend contracts (Azure OpenAI PTU, Vertex GSU, Bedrock provisioned throughput), NemoRouter can route through that capacity on a dedicated deployment, with your provider pricing preserved. This is an Enterprise-only capability — talk to us about your existing commitments.
United States is the default footprint. EU residency is generally available on Enterprise. UK, Canada, Australia, Singapore, and India are available on request for residency-sensitive workloads. Customer data is replicated within a single region and never moved without an explicit migration request.
The Data Processing Addendum (DPA) and SLA are published and linkable directly. The MSA and a HIPAA BAA are provided on request through the Enterprise team. NemoRouter operates SOC 2-aligned and ISO 27001-aligned controls; a formal SOC 2 Type II audit is in progress with a Q3 2026 target. Enterprise customers can request a controls walkthrough or a completed vendor security questionnaire from security@nemorouter.ai.
A 99.9% uptime SLA applies on every tier; Enterprise adds priority incident response, a named Customer Success Manager, a private support channel, and quarterly business reviews. We monitor every provider endpoint and fail over automatically when an issue is detected.
Enterprise · scoped in days
We walk your team through deployment options, the controls, and the DPA — typically scoped within days, live within two weeks. Auditors welcome on the call.
SOC 2 Type II audit in progress (target Q3 2026) · GDPR-compliant · HIPAA BAA available · ISO 27001-aligned controls