Security & compliance

LangWatch Deployment Options

LangWatch offers three deployment options to accommodate different security, compliance, and operational needs:

The software is hosted and managed by LangWatch.
LangWatch is responsible for availability and performance of the entire platform.
LangWatch may access the customer account for debugging purposes, with all access fully logged and requiring explicit permission requests
Ideal for businesses that want a fully managed solution without the need to maintain infrastructure.

The Client hosts and manages the full software on their own infrastructure, which may include on-premise servers or cloud environments such as AWS, Azure, or Google Cloud.
The Client is solely for updates, security, and maintenance.
LangWatch offers additional services on deployment support and updates.
Best suited for organizations requiring complete data sovereignty.

The Client utilizes LangWatch Cloud for LLM monitoring, evaluation and optimization, while all client data (input and output of LLMs) remains on the Client’s infrastructure.
LangWatch may access the customer account for debugging purposes, with all access fully logged and requiring explicit permission requests
The Client retains full responsibility for the management, security, and regulatory compliance of the LLM data.

Deployed in a secure and safe cloud with robust security capabilities all hosted in the EU.

No personal information stored with granular PII Controls. All PII wiped immediately.

Dedicated support to help you at every step of the way.

LangWatch is hosted on Amazon Web Services (AWS), leveraging industry-leading security and compliance capabilities:

AWS Security compliance: AWS is ISO 27001, SOC2, and GDPR-compliant.
Data centers: Hosted in EU-based AWS regions, ensuring compliance with European data residency regulations. Other regions such as US / Australia are available on request (via AWS marketplace)
Multi-region redundancy: Built-in disaster recovery with failover mechanisms across multiple AWS regions.

LangWatch ensures data security through strong encryption standards:

Encryption at Rest: All stored data is encrypted using AES-256 encryption and Redis queues.
Encryption in Transit: All data exchanged between customers and LangWatch is secured with TLS 1.2+.
Key management: Uses AWS Key Management Service (KMS) for encryption key protection.
Granular PII Controls: Any personally identifiable information (PII) is automatically detected and wiped immediately after processing.

Role-Based Access Control (RBAC) ensures granular permission management.
Multi-Factor Authentication (MFA) is enforced across LangWatch systems.
AWS Identity and Access Management (IAM) policies follow the principle of least privilege.
Secure Authentication via Auth0 with Single Sign-On (SSO). Specific SSO available on request.

LangWatch employs continuous security monitoring and a robust incident response framework:

Threat detection: Snyk Security to monitor for anomalies in real-time.
Comprehensive logging: AWS CloudTrail and AWS CloudWatch provide full audit logging.
Automated security alerts: Monitored 24/7 for unauthorized access attempts or suspicious activity.
Incident response: A structured incident response plan ensures rapid investigation, containment, and resolution of security incidents.

LangWatch has a robust backup and disaster recovery strategy:

Automated backups: Data is backed up daily, with encryption at rest.
Geo-redundant storage: Backups are replicated across multiple AWS regions.
Retention policy: Customers can define data retention periods to meet compliance needs - part of the commercial agreement. Or go for the Hybrid option to own this.
Recovery objectives: LangWatch maintains an RPO (Recovery Point Objective) of <1 hour and an RTO (Recovery Time Objective) of <4 hours.

LangWatch follows industry best practices in Secure software development lifecycle:

Code security audits: Regular security reviews and static code analysis.
Vulnerability Management: Automated scanning with GitHub Dependabot and Snyk..
Peer Code Reviews: Every pull request undergoes checks before merging.
Production vs. development isolation: Staging and production environments are strictly separated.

LangWatch ensures adherence to global security and privacy regulations:

GDPR Compliance: Customers can exercise their right to be forgotten and data portability.
Data Processing Agreements (DPAs): We provide DPAs for enterprise customers to meet compliance requirements.
SOC2 & ISO 27001 Certification: LangWatch partners with certified cloud providers to maintain compliance.
Subject access request handling: A structured process for responding to privacy-related requests.

Employee security training: All employees receive annual security training.
Third-party security audits: Regular penetration testing by external security firms.
Vendor risk assessment: Any third-party tools is evaluated to meet ISO 27001, and GDPR compliance requirements.