Frequently Asked Questions

Does Aptly slow down my API requests?

Minimal overhead (~50-100ms for PII scanning). The bulk of latency comes from the LLM provider itself. We use Microsoft Presidio for fast, local PII detection—no additional API calls required.

Can I use Aptly with my existing OpenAI/Anthropic code?

Yes! Just change the base_url to Aptly's endpoint. Everything else stays the same.

Which LLM providers does Aptly support?

Aptly uses LiteLLM under the hood, so it supports 100+ providers including:

• OpenAI (GPT-4, GPT-3.5)
• Anthropic (Claude 3.5 Sonnet, Opus, Haiku)
• Google (Gemini 1.5 Pro, Flash)
• Cohere (Command R+)
• Together AI (Llama 3.1, Mixtral)

Does Aptly store my LLM provider API keys?

No. You pass your provider keys per-request in the api_keys field. Aptly never persists them. This "customer-provided keys" model ensures you maintain full control.

Are audit logs truly immutable?

Yes. We use PostgreSQL database triggers to prevent modification or deletion of audit log entries, even with service role access. This satisfies regulatory requirements for immutable audit trails.

What happens to the original (unredacted) data?

The original request is never stored. Audit logs only contain the redacted version that was sent to the LLM. Original PII never leaves your request and is never persisted by Aptly.

Can Aptly guarantee the LLM provider won't see PII?

Aptly redacts detected PII before forwarding to the LLM. However, PII detection is probabilistic—no system is 100% accurate. We use Microsoft Presidio (industry standard) and achieve high accuracy, but you should still review your compliance requirements.

Does Aptly make me GDPR compliant?

Aptly provides two foundational controls—automatic PII redaction and immutable audit logs—but GDPR compliance requires more than technology. You still need data processing agreements, privacy policies, user consent mechanisms, etc. Aptly significantly reduces risk but doesn't replace a full compliance program.

Can I use Aptly for HIPAA-covered data?

Aptly can be part of a HIPAA compliance strategy (we detect health-related PII), but you'll need a Business Associate Agreement (BAA) with both Aptly and your LLM provider. Contact us to discuss HIPAA requirements.

How long are audit logs retained?

Retention periods vary by plan: 30 days (Free), 1 year (Pro), 7 years (Enterprise, configurable). After the retention period, logs are automatically purged.

Does Aptly charge for LLM usage?

No. You pay your LLM provider directly (via your own API keys). Aptly charges only for the compliance middleware service.

What are the rate limits?

Free tier: 100 requests/hour. Pro tier: 10,000 requests/hour. Enterprise: Custom limits. Rate limits are enforced per customer, not per API key.

What happens if I exceed my rate limit?

You'll receive a 429 Too Many Requests response with a Retry-After header indicating when you can try again.

Does Aptly support streaming responses?

Yes. Set stream=True and you'll receive server-sent events just like with OpenAI. The audit log is created when the stream completes.

Can I customize which PII types to detect?

Not currently. Aptly detects all standard PII types (SSN, email, phone, credit card, etc.) by default. Custom entity detection is on the roadmap for Enterprise plans.

Can I self-host Aptly?

Yes, for Enterprise customers. Contact us to discuss on-premise deployment options.

What's the difference between masking and hashing?

Masking (PERSON_A) preserves entity type and makes text readable. Hashing (HASH_a3f2c1b9) is deterministic—the same value always gets the same hash, useful for tracking entities across requests without revealing identity.