solutions --enterprise
The audited broker your security team will sign off on.
SSO, data residency, privacy-first AI, SIEM streaming and a tamper-evident audit trail — the controls and evidence enterprise security and compliance teams require, with customer-managed keys and bring-your-own-Vault when policy demands it.
Enterprise terms, SSO and data residency are arranged with our team.
What changes
Evidence, not assertions
A tamper-evident audit trail and session recording give security and compliance teams the record they actually ask for.
Keep data on your terms
Data residency and privacy-first AI mean sensitive output and secrets stay where policy requires.
Fits your identity stack
SSO / SAML and SCIM provisioning connect VaultTerm to the directory you already run.
Plugs into your security stack
Stream security events to Splunk and Microsoft Sentinel in real time, sync secrets with your own HashiCorp Vault, and seal the master key under an HSM-backed Vault Transit key.
What you can do
- SSO / SAML and SCIM provisioning
- On-prem & air-gapped self-hosting
- Data residency and self-hosted AI
- SIEM streaming (Splunk, Sentinel) and webhook alerts
- Bring-your-own HashiCorp Vault and HSM-backed keys
- SOC 2 trajectory, DPA and subprocessors
- Dedicated onboarding and support
faq --list
For enterprise — questions
Do you support SSO and provisioning?
Yes — SSO / SAML for sign-in and SCIM for provisioning are part of the enterprise plan, alongside per-organisation identity configuration.
Can you stream events to our SIEM?
Yes. The integrations hub forwards security events in real time to Splunk (HTTP Event Collector) and Microsoft Sentinel (Log Analytics), alongside Slack, PagerDuty and generic webhooks. A pull Events API is also available for full-stream and historical export.
Can we use our own HashiCorp Vault and keys?
Yes. Enterprise can sync VaultTerm credentials with your own HashiCorp Vault (KV v2, push / pull / bidirectional with conflict detection), and seal VaultTerm's envelope-encryption master key under a HashiCorp Vault Transit key — which can itself be HSM- or auto-unseal-backed — so the master is unsealed only in memory at boot.
Can terminal output be kept off the cloud entirely?
Yes. AI defaults to a self-hosted model on your network, and for enterprise, terminal output need not leave the LAN at all — cloud assist is opt-in and redaction-gated.
Can we run VaultTerm on our own hardware or air-gapped?
Yes. VaultTerm self-hosts as a single Docker Compose unit and supports fully air-gapped install via an offline bundle — the signed license verifies locally with no phone-home. You can bind the master key to your hardware and seal it under your own HashiCorp Vault or HSM. See the self-hosting page for the full picture.
What compliance materials are available?
A DPA and subprocessors list are published, with a SOC 2 trajectory. Talk to us for the current status and any specific evidence your review needs.
The audited broker your security team will sign off on.
Enterprise terms, SSO and data residency are arranged with our team.