Camphor runs entirely inside your AWS account. No traffic leaves your network, no telemetry phones home, no third-party agents on your instances.
Every security property is enforced by AWS infrastructure you already own -- not by trusting Camphor.
The gateway is an EC2 instance running inside your AWS account and VPC. All traffic flows through your network. Camphor has zero infrastructure in the data path. Your packets never touch a Camphor-operated server.
Zero telemetry. No usage data, diagnostics, or analytics are sent to Camphor. License validation is offline -- enforced by the AMI itself, not by a licensing server. No outbound connections are required beyond your normal internet traffic.
All gateway configuration is stored in AWS Systems Manager Parameter Store in your account under the /camphor/ path. You own it, you control it, you can read and modify it with the standard AWS CLI at any time. Camphor has no access to your SSM.
All metrics, firewall alerts, API audit logs, and NAT flow logs are written to CloudWatch in your account. Camphor cannot access your CloudWatch data. You retain, export, or delete logs under your own retention policies.
The gateway EC2 instance uses an IAM role scoped to its specific stack resources by tag and ARN. No wildcard resource permissions.
The CloudFormation stack creates a purpose-built IAM instance profile during deployment. Every permission is tightly scoped: EC2 actions are gated by resource tag matching your stack name, Route53 actions are gated by the hosted zone ARN, and SSM access is restricted to the /camphor/ parameter path.
Cross-account transit access -- when enabled -- uses a separate IAM role with a trust policy explicitly listing the hub account ID. No implicit trust, no wildcards.
cfn-lint, AWS IAM Access Analyzer, or your own tooling before you deploy. No hidden policies applied post-deployment.
/camphor/* path prefixThree independent audit streams, all written to CloudWatch in your account, all accessible via standard AWS tooling.
Every REST API call to the gateway management API is logged with timestamp, source IP, HTTP method, endpoint, authenticated user, and response code. Logs are written as structured JSON to CloudWatch Logs.
Suricata IDS/IPS alerts and nftables rule hits are written in EVE JSON format and forwarded to CloudWatch. Each event includes rule ID, category, source/destination, protocol, and action taken (alert vs. drop).
Every LLM API call proxied through the gateway is logged with model name, token count, estimated cost, source IP, and latency. Prompt content is never logged. All entries go to CloudWatch in your account.
The data-plane components are kernel-level open source that you can inspect, build, and audit independently. No proprietary packet inspection, no black-box agents.
Packet processing happens entirely in Linux kernel space via nftables and IPVS -- no userspace packet copies, no proprietary kernel modules. The gateway binary orchestrates configuration; it never intercepts or copies packet payloads in user space.
TLS private keys are generated and stored entirely within your EC2 instance. No key escrow, no cloud-side storage.
Your ACM Private CA (created by the CloudFormation stack in your account) signs the gateway certificate. The CA private key never leaves ACM.
The gateway calls acm:ExportCertificate at boot and writes the certificate and private key to local disk. The API call happens instance-to-AWS -- the key never transits Camphor infrastructure.
HAProxy is configured to read the certificate file from disk with 0600 permissions, accessible only to root. TLS is terminated locally on the instance for dashboard and API traffic.
The private key is never:
Schedule a call to walk through the architecture, or go straight to pricing. No sign-up required to start.