|
| 1 | +--- |
| 2 | +slug: enterprise |
| 3 | +title: 'Build with Sim for Enterprise' |
| 4 | +description: 'Access control, BYOK, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, and flexible data retention—enterprise features for teams with strict security and compliance requirements.' |
| 5 | +date: 2026-01-23 |
| 6 | +updated: 2026-01-23 |
| 7 | +authors: |
| 8 | + - vik |
| 9 | +readingTime: 7 |
| 10 | +tags: [Enterprise, Security, Self-Hosted, SSO, SAML, Compliance, BYOK, Access Control, Copilot, Whitelabel] |
| 11 | +ogImage: /studio/enterprise/cover.png |
| 12 | +ogAlt: 'Sim Enterprise features overview' |
| 13 | +about: ['Enterprise Software', 'Security', 'Compliance', 'Self-Hosting'] |
| 14 | +timeRequired: PT7M |
| 15 | +canonical: https://sim.ai/studio/enterprise |
| 16 | +featured: false |
| 17 | +draft: false |
| 18 | +--- |
| 19 | + |
| 20 | +We've been working with security teams at larger organizations to bring Sim into environments with strict compliance and data handling requirements. This post covers the enterprise capabilities we've built: granular access control, bring-your-own-keys, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, and compliance. |
| 21 | + |
| 22 | +## Access Control |
| 23 | + |
| 24 | + |
| 25 | + |
| 26 | +Permission groups let administrators control what features and integrations are available to different teams within an organization. This isn't just UI filtering—restrictions are enforced at the execution layer. |
| 27 | + |
| 28 | +### Model Provider Restrictions |
| 29 | + |
| 30 | +Allowlist specific providers while blocking others. Users in a restricted group see only approved providers in the model selector. A workflow that tries to use an unapproved provider won't execute. |
| 31 | + |
| 32 | +This is useful when you've approved certain providers for production use, negotiated enterprise agreements with specific vendors, or need to comply with data residency requirements that only certain providers meet. |
| 33 | + |
| 34 | +### Integration Controls |
| 35 | + |
| 36 | +Restrict which workflow blocks appear in the editor. Disable the HTTP block to prevent arbitrary external API calls. Block access to integrations that haven't completed your security review. |
| 37 | + |
| 38 | +### Platform Feature Toggles |
| 39 | + |
| 40 | +Control access to platform capabilities per permission group: |
| 41 | + |
| 42 | +- **Knowledge Base** — Disable document uploads if RAG workflows aren't approved |
| 43 | +- **MCP Tools** — Block deployment of workflows as external tool endpoints |
| 44 | +- **Custom Tools** — Prevent creation of arbitrary HTTP integrations |
| 45 | +- **Invitations** — Disable self-service team invitations to maintain centralized control |
| 46 | + |
| 47 | +Users not assigned to any permission group have full access, so restrictions are opt-in per team rather than requiring you to grant permissions to everyone. |
| 48 | + |
| 49 | +--- |
| 50 | + |
| 51 | +## Bring Your Own Keys |
| 52 | + |
| 53 | + |
| 54 | + |
| 55 | +When you configure your own API keys for model providers—OpenAI, Anthropic, Google, Azure OpenAI, AWS Bedrock, or any supported provider—your prompts and completions route directly between Sim and that provider. The traffic doesn't pass through our infrastructure. |
| 56 | + |
| 57 | +This matters because LLM requests contain the context you've assembled: customer data, internal documents, proprietary business logic. With your own keys, you maintain a direct relationship with your model provider. Their data handling policies and compliance certifications apply to your usage without an intermediary. |
| 58 | + |
| 59 | +BYOK is available to everyone, not just enterprise plans. Connect your credentials in workspace settings, and all model calls use your keys. For self-hosted deployments, this is the default—there are no Sim-managed keys involved. |
| 60 | + |
| 61 | +A healthcare organization can use Azure OpenAI with their BAA-covered subscription. A financial services firm can route through their approved API gateway with additional logging controls. The workflow builder stays the same; only the underlying data flow changes. |
| 62 | + |
| 63 | +--- |
| 64 | + |
| 65 | +## Self-Hosted Deployments |
| 66 | + |
| 67 | + |
| 68 | + |
| 69 | +Run Sim entirely on your infrastructure. Deploy with Docker Compose or Helm charts for Kubernetes—the application, WebSocket server, and PostgreSQL database all stay within your network. |
| 70 | + |
| 71 | +**Single-node** — Docker Compose setup for smaller teams getting started. |
| 72 | + |
| 73 | +**High availability** — Multi-replica Kubernetes deployments with horizontal pod autoscaling. |
| 74 | + |
| 75 | +**Air-gapped** — No external network access required. Pair with Ollama or vLLM for local model inference. |
| 76 | + |
| 77 | +Enterprise features like access control, SSO, and organization management are enabled through environment variables—no connection to our billing infrastructure required. |
| 78 | + |
| 79 | +--- |
| 80 | + |
| 81 | +## On-Prem Copilot |
| 82 | + |
| 83 | + |
| 84 | + |
| 85 | +Copilot—our context-aware AI assistant for building and debugging workflows—can run entirely within your self-hosted deployment using your own LLM keys. |
| 86 | + |
| 87 | +When you configure Copilot with your API credentials, all assistant interactions route directly to your chosen provider. The prompts Copilot generates—which include context from your workflows, execution logs, and workspace configuration—never leave your network. You get the same capabilities as the hosted version: natural language workflow generation, error diagnosis, documentation lookup, and iterative editing through diffs. |
| 88 | + |
| 89 | +This is particularly relevant for organizations where the context Copilot needs to be helpful is also the context that can't leave the building. Your workflow definitions, block configurations, and execution traces stay within your infrastructure even when you're asking Copilot for help debugging a failure or generating a new integration. |
| 90 | + |
| 91 | +--- |
| 92 | + |
| 93 | +## SSO & SAML |
| 94 | + |
| 95 | + |
| 96 | + |
| 97 | +Integrate with your existing identity provider through SAML 2.0 or OIDC. We support Okta, Azure AD (Entra ID), Google Workspace, OneLogin, and any compliant identity provider. |
| 98 | + |
| 99 | +Once enabled, users authenticate through your IdP instead of Sim credentials. Your MFA policies apply automatically. Session management ties to your IdP—logout there terminates Sim sessions. Account deprovisioning immediately revokes access. |
| 100 | + |
| 101 | +New users are provisioned on first SSO login based on IdP attributes. No invitation emails, no password setup, no manual account creation required. |
| 102 | + |
| 103 | +This centralizes your authentication and audit trail. Your security team's policies apply to Sim access through the same system that tracks everything else. |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +## Whitelabeling |
| 108 | + |
| 109 | +Customize Sim's appearance to match your brand. For self-hosted deployments, whitelabeling is configured through environment variables—no code changes required. |
| 110 | + |
| 111 | +**Brand name & logo** — Replace "Sim" with your company name and logo throughout the interface. |
| 112 | + |
| 113 | +**Theme colors** — Set primary, accent, and background colors to align with your brand palette. |
| 114 | + |
| 115 | +**Support & documentation links** — Point help links to your internal documentation and support channels instead of ours. |
| 116 | + |
| 117 | +**Legal pages** — Redirect terms of service and privacy policy links to your own policies. |
| 118 | + |
| 119 | +This is useful for internal platforms, customer-facing deployments, or any scenario where you want Sim to feel like a native part of your product rather than a third-party tool. |
| 120 | + |
| 121 | +--- |
| 122 | + |
| 123 | +## Compliance & Data Retention |
| 124 | + |
| 125 | + |
| 126 | + |
| 127 | +Sim maintains **SOC 2 Type II** certification with annual audits covering security, availability, and confidentiality controls. We share our SOC 2 report directly with prospective customers under NDA. |
| 128 | + |
| 129 | +**GDPR** — Data Processing Agreements available for organizations handling EU personal data. |
| 130 | + |
| 131 | +**HIPAA** — Business Associate Agreements available for healthcare organizations. Requires self-hosted deployment or dedicated infrastructure. |
| 132 | + |
| 133 | +**Data Retention** — Configure how long workflow execution traces, inputs, and outputs are stored before automatic deletion. We work with enterprise customers to set retention policies that match their compliance requirements. |
| 134 | + |
| 135 | +We provide penetration test reports, architecture documentation, and completed security questionnaires (SIG, CAIQ, and custom formats) for your vendor review process. |
| 136 | + |
| 137 | +--- |
| 138 | + |
| 139 | +## Get Started |
| 140 | + |
| 141 | +Enterprise features are available now. Check out our [self-hosting](https://docs.sim.ai/self-hosting) and [enterprise](https://docs.sim.ai/enterprise) docs to get started. |
| 142 | + |
| 143 | +*Questions about enterprise deployments? [help@sim.ai](mailto:help@sim.ai)* |
0 commit comments