The deployable control plane for vector data. Every ingest normalized. Every policy enforced before the write, not after. Every (text → embedding) tuple signed. Every reject explained in an audit entry your auditor can verify.
Same vector. Same store. Verifiable trust. Sidecar or gateway. One YAML for Qdrant, Pinecone, Weaviate, pgvector, LanceDB.
Work emails only. We never sell or share your address. See the open spec at vectorpin.org.
$ vectorpin policy check ./prod.yaml ✓ collections: 7 valid ✓ tenants: 12 valid ✓ keys: 1 active, 0 expiring < 30d ✓ adapters: qdrant, pgvector ─ deploy modes: sidecar, gateway ─ audit sinks: s3://… · stdout
Every RAG and AI-agent application now ships arbitrary text into an embedding model and the resulting vector into a managed store. The same store holds the embeddings of your most sensitive documents. There is no shared chokepoint for the controls your other data systems already have: input validation, schema enforcement, content provenance, signed records, audit evidence, per-tenant rate limits.
VectorPin Enterprise is that chokepoint. Decisions happen before the write, every event is recorded in a signed audit stream, and the same policy file governs every collection across every vector backend. The difference between logging that something happened and being able to prove what did and didn't.
The cryptographic primitive: Ed25519 signing of (text → embedding), the wire format, and reference implementations in Python, Rust, and TypeScript. Free forever.
The deployable proxy around that primitive: policy DSL, multi-tenant key management, signed audit stream, SOC 2 / HIPAA / ISO 27001 evidence exports. What your security review asks for.
Join the waitlist →The same control families your other data systems already have, applied to the vector layer for the first time.
Normalize text, enforce a payload schema, require source-document provenance, and assign IDs server-side. Bytes that don't fit the contract never reach the embedder.
Every admitted point gets an Ed25519 signature over (text, model, vector, timestamp), created before the write reaches the store. Tampering — rotation, scaling, noise, post-write swap — breaks the signature on read.
Read- and write-roles enforced at the proxy. Cedar-compatible, so the same policy language governs both your vector store and your agent runtime. Embeddings are treated as plaintext-equivalent for ACL purposes — because under inversion, they are.
Admits, rejects, key rotations, policy changes — all emitted as structured events, signed by the audit key, and exported over OpenTelemetry to your SIEM. The audit log is itself tamper-evident.
Per-tenant ingest and query QPS, with optional latency padding so per-request timing patterns flatten. Removes the bandwidth that bulk-exfiltration and timing-style probing need.
Pick the form factor that matches your infrastructure. The policy file, the signing key, and the audit stream are identical — only the deploy topology differs.
App talks to localhost. Sidecar terminates TLS from the app, enforces policy, and forwards to your managed vector store. Same security boundary as the app pod.
# values.yaml — Helm chart fragment vectorpin: mode: sidecar listen: "127.0.0.1:6333" upstream: "https://qdrant.acme.io:6333" policy: /etc/vectorpin/prod.yaml signKey: kms: aws:arn:…:key/abc
One deploy for the whole org. All apps point their vector-store client at the gateway URL. Centralized policy updates and a single audit stream feed your SIEM.
# docker-compose.yaml fragment services: vectorpin: image: ghcr.io/thirdkeyai/vectorpin:1.0 command: ["gateway", "--policy", "/cfg/prod.yaml"] ports: ["443:6333"] env: VECTORPIN_AUDIT_SINK: s3://acme-audit/vp/
An SDK middleware fallback is available for environments where neither a sidecar nor a proxy can be inserted; it isn't the default. A control plane only earns its keep when it's the only path to the store.
No vendor lock-in. Single binary, runs anywhere a container runs — your cloud, your data center, your air-gapped network. Fully integrated into Symbiont Enterprise — if you run Symbiont, there is no separate sidecar or gateway to deploy; vector-layer policy, signing, and audit are evaluated inside the same runtime. The standalone form factors above are for everyone else.
All seven enforcement layers live in a single declarative file. Reviewable in your normal PR flow. Diffable. Versioned. Validated by vectorpin policy check before it ever reaches a cluster.
# prod.yaml — VectorPin Enterprise policy policy: version: 1 collections: customer_records: id_strategy: server text: normalize: [nfkc, strip_zero_width] payload: allowed_fields: [topic, source_doc, chunk_id] max_size_kb: 16 provenance: require_source_hash: true allowed_sources: - "sha256://docs.intranet.acme.corp/**" - "sha256://confluence.acme.corp/spaces/RAG/**" embedding: sign: vectorpin-v2 key_id: prod-2026-05 access: read_role: rag_consumer write_role: ingest_pipeline ratelimit: ingest_qps: 200 query_qps: 1000 tenants: acme-corp: collections: [customer_records] keys: [prod-2026-05] audit: sinks: [s3://acme-audit/vp/, stdout] redact: [payload.text] retain: 7y
vectorpin policy check exits non-zero on schema errors, unreachable upstreams, or expired keys. Wire it into your PR pipeline.payload.text so the audit stream itself isn't a source-text exposure.The audit plane emits structured events for every policy decision and every signing operation — created before execution, not after. Events are signed with the same key tree so the audit log is itself tamper-evident. Exporters shape the stream into the evidence formats your auditor accepts. OpenTelemetry (OTLP) is the default export, so VectorPin events land in the same observability stack as the rest of your infrastructure — Grafana, Datadog, Splunk, Honeycomb, or any OTLP collector.
| Framework | Evidence emitted by VectorPin Enterprise |
|---|---|
| SOC 2 (CC6, CC7) | Per-request decision logs (admit / reject + reason), signed by the audit signing key; tenant access events; policy-file change diffs; signing-key rotation events. |
| HIPAA §164.312 | Access events scoped to PHI-classified collections; signing-key rotation events with timestamps; tenant boundary enforcement evidence per request. |
| ISO/IEC 27001 (A.8, A.12) | Asset classification labels per collection; policy-change diffs as configuration-management evidence; immutable audit-log integrity proofs. |
| NIST 800-53 (AC, AU, SI) | Ingest authorization decisions (AC), continuous audit stream with integrity verification (AU), tamper detection on the policy file itself and on stored embeddings (SI). |
| EU AI Act / Article 12 logging | Per-event provenance records (source content hash, embedding model, signing key, timestamp) suitable for high-risk-system logging obligations. |
| OpenTelemetry / OTLP | Structured spans and metrics for every admit, reject, sign, and key-rotation event. Drop into your existing observability stack alongside Symbiont and the rest of the Trust Stack. |
Adapters terminate the upstream's native API so your application code stays unchanged. Point your existing client at the VectorPin endpoint and policy enforcement is transparent.
Cross-store policy is the moat that vendors structurally can't ship: if you're running Qdrant for one workload and pgvector for another, you want one control plane, not two managed-tier configurations.
We're onboarding design partners in waves. Partners get hands-on policy review, direct adapter-priority votes, and lifetime discount on GA. No commitment from you beyond a 30-minute call.
Want to talk before then? hello@thirdkey.ai
VectorPin Enterprise stands alone, and is also one of five primitives ThirdKey AI ships for trustworthy AI infrastructure.