Gateway privacy modes let a customer choose what Tallin stores while keeping the operational ledger useful for spend, attribution, and policy evidence.
Metadata-only is the default privacy-friendly path
Metadata-only capture records the operational trail: user, workload, provider, model, token and cost estimate, route status, policy result, and timing. It does not store the prompt or response body.
Full audit capture is an explicit tradeoff
Full audit capture can support deeper prompt-level review, but it stores more sensitive material. Teams should turn it on only where they need that evidence and understand the governance value versus exposure tradeoff.
SaaS still sees traffic in memory
An inline gateway must receive plaintext in memory to forward the request. Metadata-only controls what is stored, not what transiently passes through the route. A self-hosted or VPC data plane is the stronger answer when a customer requires Tallin-hosted infrastructure to never see plaintext.
Key takeaways
- Metadata-only stores who, what, when, how much, route, and policy outcome.
- Full audit capture is useful for deeper review but stores more sensitive content.
- Helper tokens preserve employee attribution for developer tools.
- Only self-hosted or VPC deployment fully removes Tallin-hosted data-plane visibility.