Delta

AI scales. Compliance must not be the bottleneck.

Make AI productive.
Keep risk
under control.

Between your app and the model: rules, checks on sensitive data, and a clear record per request — in the traffic path, not a bolt-on tool.

Solid defaults you can refine — not a blank rulebook from scratch. Keep your SDK; checks and logs run with every call, without rebuilding your app.

Get unblockedSurvey
Delta Gateway
live · sub-50mspolicy · DLP · audit / request

Your Application

OpenAI-compatible API · Chat-ready

app.tsOpenAI SDK
const openai =
  new OpenAI({
    baseURL: "https://rundelta.dev/v1",
  });

await openai.chat.completions.create({
    model: "gpt-4o-mini",
  });
request

Compliance pipeline

PII DetectionScan & redact sensitive data
Risk ClassificationEU AI Act Annex III check
Smart RoutingOptimal model selection
Cost OptimizationPer-request spend tracking
Audit TrailFull compliance logging
Quality MonitorHallucination detection
signed · routed

Any model

routes to best provider

Ministral · Qwen · DeepSeek · BYO — fully extensible

All policy checks passedOpenAI-compatible APIAudit-signed receipt

What this marketing site collects is described in our privacy policy. Product logging and retention are agreed with you during rollout. Privacy policy

Operations & access

  • Deployment: SaaS processing in Frankfurt, Germany; additional regions, isolated environments, or self-hosted by arrangement.

  • Audit trail: policy outcomes and routing are traceable and exportable per request — less manual stitching for reviews.

  • API keys and roles: scoped access to models and policies, smaller blast radius than one key for everything.

  • `DELTA_API_KEY` stays in your runtime secret store — rotate and lifecycle it like any production credential.

More on architecture and controls

01 / Process

One request. Full compliance pipeline.

Delta enforces policy checks, redacts PII, classifies risk, routes to the best model, and returns a signed audit record.

Plays once when this section scrolls into view — pick another scenario or replay the animation.

  1. Request enters gateway
  2. PII detection and redaction
  3. EU risk classification
  4. Policy and model routing
  5. Signed audit receipt
  6. Response returned to app
Request IDreq_8f3a9c2d1e4b…m7

Try it yourself:

02 / Problem

Most teams are blocked between speed and compliance.

People still want modern AI at work, but legal and security need enforceable controls and clear accountability.

Shadow AI use increases because approved tools are too limited.
Legal reviews become a bottleneck for every new model request.
Audit evidence is fragmented across logs and provider consoles.

Security

Threat model in one paragraph

We help you enforce policy, reduce sensitive-data leakage on the LLM path, and produce review-friendly evidence (receipts, routing and policy decisions). We do not replace endpoint security, IAM design, or secure application coding — your teams still own identity, device posture, and what the app sends to the gateway.

03 / Features

Core features - and the practical value you get.

Every module maps to real dashboard surfaces — defense-in-depth from DLP/PEP to tamper-evident audit trails. Baseline policies and curated rule sets ship pre-configured: ready to use instead of months of rule bootstrap.

Flow Explorer

E2E observability and tracing on LLM traffic: every call gets a chain of custody — which policy fired, what was redacted under DLP-style rules, which routing decision applied. Faster SOC triage, less blind spot between app, gateway, and provider.

LLM firewall (inline PEP)

Policy enforcement point in front of the model provider: allow/deny and default-deny profiles, DLP/PII inspection, IPS-style blocking before egress. RBAC-aware, shrinking attack surface and blast radius before data leaves your perimeter to the LLM.

EU AI Act Hub (Risk, Review, Conformity)

Risk class, review state, and conformity are managed in one place. This turns scattered compliance tasks into a clear and auditable approval flow.

Audit Log + Evidence Export

Audit-ready evidence is available immediately and exportable on demand. Your team spends far less time assembling proof for internal or external reviews.

API Keys + Cost Insights + Billing

Access control and spend visibility are centralized instead of spread across provider consoles. Budget drift is visible early, before month-end surprises.

BYOK & provider keys

Use your own model-provider credentials (BYOK) or operated pool keys — aligned with procurement and crypto policy, without extra secret paths in your app.

Chat

Non-developers get chat access on the same platform: approved models with the same policies, PII protection, and auditing as API traffic. Business teams chat in an enterprise-compliant way — without drifting outside your governance perimeter.

Kill Switch + Notifications

In an emergency, quickly cut off traffic to an LLM provider or reroute it through the gateway — without touching every service by hand. Notifications make sure ops and owners can act immediately.

Developers + Model Catalog + Policy History

Developer access, model approvals, and policy changes are documented transparently. This reduces coordination overhead and keeps decisions traceable later.

Cost Optimization Routing

Requests are automatically routed to cost- and quality-optimized models. You reduce recurring model spend without defaulting to one-size-fits-all quality tradeoffs.

04 / Outcomes

What improves in your day-to-day work

Production-ready with pre-built baselines: less busywork, clearer ownership. Each core feature is meant to save time, surface risk, and spare security and compliance teams from audit and approval grind.

Typical setup without a gateway

  • PII protection, costs, and governance are spread across multiple tools.
  • Audit evidence has to be collected manually from logs and dashboards.
  • Policy sets and controls are often modeled from scratch — slow time-to-value.
  • Every new model creates a fresh risk and approval process.

With a gateway in production

  • Flow Explorer → chain of custody & E2E tracing — policy, redaction, routing; faster SOC triage.
  • LLM firewall (PEP) → default-deny/allow, DLP/PII, IPS-style before egress; RBAC and smaller blast radius.
  • Baselines included → ready to use: no empty rulebook; tune granularly instead of months of bootstrap.
  • EU AI Act hub + Audit Trail → You stay audit-ready without spreadsheet and log chaos.
  • Chat → Everyone chats with approved models — same rules and traceability as gateway traffic.
  • API Keys + Cost Insights + Kill Switch → Central spend and access; in an emergency stop LLM traffic or reroute it.
  • Cost optimization routing → Cheaper model selection at stable quality, with expensive requests auto-flagged.
05 / Integrate

Drop-in replacement: swap the base URL only.

OpenAI-compatible API — point your client at the gateway (`https://rundelta.dev/v1`) instead of the provider base URL. Keep your SDK, calls, and model strings; policies and audit run automatically on that path.

Security integration checklist (no extra code paths): keep `DELTA_API_KEY` in a secret store your platform already uses; rotate like any production credential. mTLS, private connectivity, and key-management integrations are part of enterprise deployment discussions — we align to your network and KMS standards rather than forcing a one-size pattern.

  • Network: public HTTPS today; private egress, VPC peering, and similar patterns are scoped when you need data-plane isolation beyond TLS.
~/app/llm.ts
import OpenAI from "openai";
// Drop-in: only the base URL points at the gateway

const client = new OpenAI({
  apiKey: process.env.DELTA_API_KEY,
  baseURL: "https://rundelta.dev/v1",
});

const out = await client.chat.completions.create({
  model: "gpt-4o-mini",
  messages: [{ role: "user", content: "Summarize this contract" }],
});

How: set `baseURL` (Node) or `base_url` (Python) to `https://rundelta.dev` — that’s the change.

  • True drop-in: one config line — gateway base URL instead of the provider (no app rewrite)
  • Security baselines and rule packs are pre-configured — after the URL swap, controls go live without months of policy bootstrap
  • OpenAI, Anthropic, Bedrock, and Vertex API compatible
  • Streaming, tool use, and function calling proxied transparently
  • Failover and retries handled at the gateway
  • Deploy in cloud, VPC, or self-hosted setup
06 / Providers

Route across providers without policy drift.

OpenAIGPT-5 · GPT-5 mini · o4
AnthropicClaude Opus 4.1 · Sonnet 4
GoogleGemini 2.5 Pro · 2.5 Flash
MistralMistral Large 2 · Ministral 8B
MetaLlama 4 Maverick · Scout
Self-hostedQwen3 · DeepSeek-V3 · BYO
06b / Abuse cases

Abuse cases buyers ask about

A short split of responsibilities — what the gateway is built to mitigate versus what stays in your app and org policies.

GatewayYour app / org

Prompt injection & jailbreak attempts

Inline enforcement, allow/deny profiles, and DLP-style inspection can block or redact many egress attempts before they reach the provider.

Application trust boundaries, tool permissions, and human-in-the-loop for high-risk actions remain your design choices.

Data exfiltration via the model channel

Policy hits, redaction, and routing decisions are recorded for triage; Flow Explorer gives chain-of-custody per call.

Classification of what may leave the perimeter and business rules for attachments/context are still owned by you.

Tool / agent misuse

Traffic passes through the same policy and logging path; kill switch and quotas limit blast radius when something misbehaves.

Orchestration logic, tool schemas, and approval workflows for autonomous actions stay in your stack.

07 / Compliance

Security posture in one place: observability, enforcement (PEP), governance & spend — defense-in-depth instead of siloed tools.

Flow Explorer — E2E observability and request tracing: policy hits, redaction, routing; chain of custody per LLM call.

We record what happened for each request; your SOC uses it to triage incidents without stitching logs from app, gateway, and provider by hand.

What this means in practice

Observability here means structured telemetry and trace IDs tied to policy outcomes — not a generic dashboard.

LLM firewall (inline PEP) — default-deny/allow, DLP/PII inspection, IPS-style blocking before traffic reaches the provider.

The gateway enforces the rules you configure (allowlists, redaction, blocks); you still decide policy content and exceptions.

What this means in practice

PEP (policy enforcement point) is the control choke-point on the wire. DLP-style means pattern- and rule-based content controls, not a separate enterprise DLP SKU.

EU AI Act hub + audit trail — risk and review workflow with exportable evidence for internal and external questions.

Helps you document model traffic and decisions for oversight; final legal classification remains yours with counsel.

What this means in practice

“Ready” means technical artifacts and workflows — not a certification that a regulator pre-approved your use case.

Cost optimization + kill switch — central spend, quotas, and emergency cut-off or reroute of LLM egress.

Operators get one place to cap usage or stop traffic when something looks wrong; routing rules stay versioned like other policies.

What this means in practice

Kill switch is an operational control for LLM paths through the gateway, not full network segmentation by itself.

Get AI unblocked for your team.

Book a demo for your compliance and engineering leads and see the full process flow live.

Get unblockedSurvey

Built and operated in

Wiesbaden

For regulated teams across Europe

FAQ

Common questions

Integration, governance, and next steps.

Who is Delta for?
Organizations that run language models in production — without letting governance become the bottleneck. Typical buyers are cross-functional teams spanning engineering, security, and compliance in regulated industries such as finance, insurance, legal, and the public sector. Delta pairs delivery speed with defensible control: engineering keeps shipping while auditors and internal controls get traceability. Book a short demo and we’ll map it to your architecture.
How do we integrate Delta — and how do teams use it day to day?
Fastest path: keep your existing SDK and point `baseURL` at the gateway. Every request passes policies, PII protection, and auditing before it reaches your chosen model provider — no rewrite of your business logic. For a concrete walkthrough, open the product demo or book a session and we’ll align integration and rollout with your environment.
Can we route traffic to a different LLM or provider easily?
Yes — centralized routing is core to Delta. Model choice, failover, and routing rules live in the gateway instead of being duplicated across services. That lets you optimize for quality, cost, latency, or regulatory requirements — and switch cleanly on outages or limits. We define the right rule set for your organization in a pilot or strategy session.
Is there a chat interface?
Yes. The chat UI is for teams that want to work through the gateway directly — for example business units, enablement, or internal support scenarios. Your API remains the primary integration path for products and tools: same models, policies, and evidence for both chat and code. One stack, one governance model — no split between surface and integration.
Can we pass context so the model answers in our company voice or follows internal guardrails?
Yes. Use the usual chat API building blocks: system and context messages plus clear roles in `messages`. Delta adds governance on top: what may leave your perimeter, what gets redacted, and what is logged for audits. Recurring instructions can be centralized as org-wide defaults or templates when you’re ready — we align depth and rollout in conversation.
Can we enforce prompts or response templates?
Yes — mature AI operations need consistent standards, less drift between teams, and clear approvals. That maps naturally to policies and routing: anything enforced at the gateway is centrally controlled and auditable. We scope the detail to your approval workflows; the demo shows the direction we take.
Are controls more granular than what we get from the model vendor alone?
The vendor delivers the model; Delta delivers the controls around it — API keys with clear scope, traceability per request, policy and routing rules, and audit-grade telemetry. That’s where legal and security get the granularity they need while engineering keeps familiar SDK workflows.
Can we build agents or tool-calling workflows?
Yes. Keep agents and orchestration in your stack; Delta is the secured, observable path to models. Streaming, tool use, and function calling pass through while policy, PII protection, and logging apply before the provider. Workflows stay flexible and risk stays manageable.
Where is data processed — do you offer EU or self-hosted deployments?
Processing runs in Frankfurt, Germany. Additional regions and on-premises deployments are available by arrangement. We are GDPR-aligned; details are in our privacy policy.
Isn’t this “just another AI gateway”?
Many vendors can proxy traffic and meter tokens. Delta is policy-first: surface risk early, protect sensitive data, and document decisions in an audit-ready way. Regulated organizations choose us for EU AI Act–oriented telemetry combined with an operational gateway — not a generic proxy.
What does EU AI Act support mean for us in practice?
Delta helps you operationalize risk classification, traceability, and audit trails around model traffic — the technical evidence auditors and internal controls often ask for. It supports your documentation duties; it does not replace legal classification of your system. Scope depends on use case and contracts — align with your legal team, with us contributing the technical substance.
Do you support streaming?
Yes. Streaming and modern API behaviors are part of the OpenAI-compatible path teams already expect — the same governance, PII handling, and telemetry apply along the stream as for non-streaming calls.