Every dollar of inference
maps to a desk.
An append-only audit trail your examiners can read, PII redaction on every request, and per-desk budgets settled from the provider's own response — exact, not estimated.
No BYOK · negative balances blocked at the database · 4 → 0% platform fee
- Append-onlyAudit trailEvery key, budget, guardrail change
- 3Budget scopesOrg · desk/team · per-key
- InlineGuardrail checksPII redaction runs in-process
- 4 → 0%Platform feeLower than OpenRouter at 5.5%
Exact cost. Atomic accounting. No overruns.
In a regulated firm, unattributed spend is a finding waiting to happen. Every request reserves credits, forwards, and settles against the provider-reported cost — a failed request releases the reservation. A desk that hits a hard cap gets a clean 402; the database refuses to write a negative balance.
- Per-desk teams with independent hard and soft budgets
- Costs settled from the provider response — exact, not inferred
- Soft-cap alerts at 70 / 90 / 100% via Slack or webhook
- Per-key spend breakdown for chargeback and cost allocation
- Append-only audit trail with actor, IP, and diff — CSV/JSON export for your SIEM
Desk — markets research
Soft cap at 90%
Slack alert fired · desk lead sees it before finance does
Desk — client support
Within budget
PII redaction in front of every customer-facing request
Ledger
Negative balance: impossible
Reserve + settle · 402 on a tripped hard cap · no partial debit
PII redaction before a prompt leaves the desk
Account numbers, SSNs, card numbers, emails, and phone numbers redacted inline — powered by Microsoft Presidio.
Failover for trading-hours workloads
Fallback chains retry on a backup model when a provider degrades — 99.9% uptime SLA on every tier.
Versioned prompt templates
Compliance-approved prompts ship as server-side templates, with every change captured in the audit trail.
What we can prove, and what is in progress.
- SOC 2 Type II — in progress. SOC 2-aligned controls operate today; the audited report is targeted for Q3 2026. We do not claim “certified” until it is signed.
- GDPR — compliant. A Data Processing Addendum is published and signable; subprocessors are covered by EU Standard Contractual Clauses.
- PCI scope — minimal. Nemo Router never touches cardholder data; payments run through Stripe, a PCI DSS Level 1 provider.
Running a vendor security review? security@nemorouter.ai will send a completed questionnaire and walk your risk team through the controls.
Finance questions, answered
Is Nemo Router SOC 2 certified?
Not yet — and we will not say "certified" until the report is signed. Nemo Router operates SOC 2-aligned controls today: encryption, access control, change management, audit logging, and tenant isolation. A formal SOC 2 Type II observation period is underway, with the audited report targeted for Q3 2026. The underlying infrastructure (Google Cloud Run, Supabase) is independently SOC 2 Type II certified. Risk teams that need assurance before the report lands can request a controls walkthrough or a completed vendor security questionnaire from security@nemorouter.ai.
Can we keep customer data in a specific region?
United States is the default footprint. EU residency is generally available on Enterprise; the UK, Canada, Australia, Singapore, and India are available on request. Customer data is replicated within a single region and is never moved without an explicit migration request.
How do we stop one desk from overspending?
Give each desk its own team with a hard budget. A hard cap returns 402 the moment it would be breached — there is no partial debit and no negative balance. Soft caps fire Slack or webhook alerts at 70%, 90%, and 100% so a desk lead sees a problem before finance does.
Do we ever have to handle a provider API key?
No. Nemo Router is a fully managed gateway — your teams authenticate with Nemo Router virtual keys (sk-nemo-…) only. We manage every provider relationship. Enterprise customers who already hold committed-spend provider contracts can have Nemo Router route through that capacity on a dedicated deployment.
Bring us your control matrix.
We will walk your risk, security, and finance teams through the audit trail, the residency map, and the budget model — auditors welcome on the call.
SOC 2 Type II audit in progress (target Q3 2026) · GDPR-compliant · data residency on Enterprise