A private LLM API your security team can sign off on
Per-tenant isolation, contractual no-training commitments, and a deployment ladder that runs from shared cloud to single-tenant VPC and sovereign air-gapped environments.
What “private” actually means here
Most “private AI” claims collapse under a vendor questionnaire. Bee's are written into the contract: customer data is not used to train the Bee base model, retrieval indexes are isolated per tenant, and the Data Processing Addendum — with EU Standard Contractual Clauses for international transfers — auto-incorporates into every paid plan.
Encryption is standard practice, stated plainly: TLS 1.3 in transit, AES-256-GCM at rest under per-tenant keys, with customer-managed keys available on Hive and above.
API plans from prototype to production
- →API Free — 500K pooled tokens per month, one API key, hard-limited with no surprise overage. No card required.
- →API Build — pure pay-as-you-go, $0.50 per 1M input and $1.50 per 1M output tokens, with zero base fee.
- →API Scale — $500/month base with a routed-compute allowance, metered usage above it, and a 99.9% uptime SLA.
- →API Enterprise — contracted token rate cards, private deployment, and net-30 procurement terms.
The deployment ladder
When shared cloud is not enough, the same models move down the deployment ladder. Bee Enclave Private Cloud (from $7,500/mo) runs single-tenant in your VPC. Enclave Regulated (from $15,000/mo) adds a customer-managed key hierarchy, strict crypto policy enforcement, and immutable audit logs. Enclave Sovereign (from $50,000/mo) deploys air-gapped with customer-controlled HSMs.
You start on the public API and move down the ladder as requirements harden — the wire format and your client code stay the same.
Post-quantum posture
Bee Enclave Sovereign customer transport runs NIST-finalized post-quantum cryptography — FIPS 203 (ML-KEM) key exchange with FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) signatures — by default, with no classical-fallback handshake. Public tiers use standard TLS 1.3 today, with the PQC default following the Sovereign rollout.
For data with a long confidentiality horizon, that closes the harvest-now-decrypt-later gap at the transport layer.
Verify before you buy
Bee publishes its trust evidence: live engine status at /status, release validation records at /trust, and the full legal surface — Terms, Privacy Policy, DPA, sub-processor list — linked from every page footer. Procurement teams can request counter-signed copies.
Frequently asked questions
- Is my API traffic used to train models?
- No. Customer data is not used to train the Bee base model — a commitment in the Terms of Service and DPA, not a settings toggle you have to find.
- Can Bee run inside our own cloud account?
- Yes — Bee Enclave Private Cloud runs single-tenant in your VPC (from $7,500/mo), and Enclave Sovereign supports air-gapped deployment for the strictest environments. Both are contracted through sales.
- Where is data processed, and can we pin a region?
- HEOSSI (Pte.) Ltd. is headquartered in Singapore with sub-processors in the EU and US, disclosed in the DPA. Hive-plan and above customers can request region-pinned processing (EU, US, or Singapore).
- How is tenant data isolated?
- Retrieval indexes and document storage are per-tenant, data at rest is encrypted with AES-256-GCM under per-tenant keys, and Hive and above support customer-managed keys.
- What compliance evidence is available?
- The parent company holds CSA STAR Level 1, with ISO 27001 in progress and SOC 2 Type II planned for 2026. Enclave plans are contracted with SOC 2, ISO 27001, and HIPAA compliance postures, and the DPA and sub-processor list are published.
Related
Start on the free tier
Bee Cell is free — no card. Scale to paid tiers, the API, or sovereign deployment when you are ready.