Skip to content

A private LLM API your security team can sign off on

Per-tenant isolation, contractual no-training commitments, and a deployment ladder that runs from shared cloud to single-tenant VPC and sovereign air-gapped environments.

What “private” actually means here

Most “private AI” claims collapse under a vendor questionnaire. Bee's are written into the contract: customer data is not used to train the Bee base model, retrieval indexes are isolated per tenant, and the Data Processing Addendum — with EU Standard Contractual Clauses for international transfers — auto-incorporates into every paid plan.

Encryption is standard practice, stated plainly: TLS 1.3 in transit, AES-256-GCM at rest under per-tenant keys, with customer-managed keys available on Hive and above.

API plans from prototype to production

  • API Free — 500K pooled tokens per month, one API key, hard-limited with no surprise overage. No card required.
  • API Build — pure pay-as-you-go, $0.50 per 1M input and $1.50 per 1M output tokens, with zero base fee.
  • API Scale — $500/month base with a routed-compute allowance, metered usage above it, and a 99.9% uptime SLA.
  • API Enterprise — contracted token rate cards, private deployment, and net-30 procurement terms.

The deployment ladder

When shared cloud is not enough, the same models move down the deployment ladder. Bee Enclave Private Cloud (from $7,500/mo) runs single-tenant in your VPC. Enclave Regulated (from $15,000/mo) adds a customer-managed key hierarchy, strict crypto policy enforcement, and immutable audit logs. Enclave Sovereign (from $50,000/mo) deploys air-gapped with customer-controlled HSMs.

You start on the public API and move down the ladder as requirements harden — the wire format and your client code stay the same.

Post-quantum posture

Bee Enclave Sovereign customer transport runs NIST-finalized post-quantum cryptography — FIPS 203 (ML-KEM) key exchange with FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) signatures — by default, with no classical-fallback handshake. Public tiers use standard TLS 1.3 today, with the PQC default following the Sovereign rollout.

For data with a long confidentiality horizon, that closes the harvest-now-decrypt-later gap at the transport layer.

Verify before you buy

Bee publishes its trust evidence: live engine status at /status, release validation records at /trust, and the full legal surface — Terms, Privacy Policy, DPA, sub-processor list — linked from every page footer. Procurement teams can request counter-signed copies.

Frequently asked questions

Is my API traffic used to train models?
No. Customer data is not used to train the Bee base model — a commitment in the Terms of Service and DPA, not a settings toggle you have to find.
Can Bee run inside our own cloud account?
Yes — Bee Enclave Private Cloud runs single-tenant in your VPC (from $7,500/mo), and Enclave Sovereign supports air-gapped deployment for the strictest environments. Both are contracted through sales.
Where is data processed, and can we pin a region?
HEOSSI (Pte.) Ltd. is headquartered in Singapore with sub-processors in the EU and US, disclosed in the DPA. Hive-plan and above customers can request region-pinned processing (EU, US, or Singapore).
How is tenant data isolated?
Retrieval indexes and document storage are per-tenant, data at rest is encrypted with AES-256-GCM under per-tenant keys, and Hive and above support customer-managed keys.
What compliance evidence is available?
The parent company holds CSA STAR Level 1, with ISO 27001 in progress and SOC 2 Type II planned for 2026. Enclave plans are contracted with SOC 2, ISO 27001, and HIPAA compliance postures, and the DPA and sub-processor list are published.

Related

Start on the free tier

Bee Cell is free — no card. Scale to paid tiers, the API, or sovereign deployment when you are ready.