Sold by: Emdrtc
Deployed on AWS
Detect and redact PII and PHI in LLM requests and responses before data leaves your VPC - OpenAI-compatible gateway with audit logs and compliance reports. Aegis Data Shield from Emdrtc scans input and output for SSN, credit cards, emails, phone numbers, medical identifiers, and custom regex patterns. Block or redact sensitive content, store redacted audit trails only, and generate SOC2 and HIPAA-style compliance reports. Deploy as a single container in front of the Aegis AI Gateway or LLM providers directly. No per-seat SaaS dependency. Includes CloudFormation templates for Amazon ECS Fargate.
Overview
Aegis Data Shield is a self-hosted PII and PHI protection layer for LLM applications. Deploy Data Shield as a single Docker container on Amazon ECS Fargate, EC2, or any Docker host in your VPC. All policies, audit logs, and compliance reports stay on infrastructure you control.
WHO IT'S FOR
Security, compliance, and platform engineering teams building LLM-powered products in regulated industries (healthcare, finance, insurance) who need to prevent sensitive data from reaching external model providers.
KEY CAPABILITIES
-
Detection engine: Built-in detectors for PII (SSN, credit card, email, phone) and PHI (medical record numbers, NPI, ICD codes) plus custom regex policies.
-
Input and output scanning: Scan user prompts before upstream delivery and model responses before returning to clients, including streaming responses.
-
Redaction modes: Block requests containing sensitive data or redact in place with configurable placeholders.
-
OpenAI-compatible API: Drop-in /v1/chat/completions endpoint; clients use Shield API keys (shield_sk_ prefix).
-
Redacted audit log: Persist only redacted payloads for compliance review; never store raw secrets in audit tables.
-
Compliance reports: Generate SOC2 and HIPAA-style summaries of scan activity, blocks, and redactions.
-
Aegis upstream mode: Route through the Aegis AI Gateway for unified provider access, or direct mode for standalone deployments.
DEPLOYMENT ON AWS
Data Shield is designed for AWS Marketplace container delivery:
- Single container, default port 8080
- Health checks: GET /healthz and GET /readyz for ALB target groups
- Persistent state on Amazon RDS PostgreSQL
- CloudFormation quick-start template (ECS Fargate + ALB)
- CloudWatch Logs via awslogs driver
SECURITY AND DATA RESIDENCY
Data Shield runs entirely in your environment. Emdrtc does not operate a multi-tenant compliance cloud. Outbound traffic goes only to your configured Aegis gateway or LLM provider APIs. Authentication uses bcrypt passwords, JWT sessions, and gateway API keys.
GETTING STARTED
Subscribe on AWS Marketplace, provision Amazon RDS PostgreSQL, deploy the CloudFormation template, set SHIELD_UPSTREAM_MODE=aegis and SHIELD_AEGIS_URL to your gateway, create a Shield API key in the admin UI, and point applications at the Shield endpoint.
FROM EMDRTC
Aegis Data Shield complements the Aegis AI Gateway and Aegis SpendOps - protect, route, and optimize LLM workloads in your VPC.
Highlights
- Self-hosted PII and PHI detection for LLM traffic - block or redact SSN, credit cards, medical identifiers, and custom patterns before data reaches external model providers.
- OpenAI-compatible gateway with redacted audit logs and SOC2/HIPAA-style compliance reports - all data stays in your VPC on Amazon RDS PostgreSQL.
- Deploy on Amazon ECS Fargate in minutes with CloudFormation templates; native Aegis AI Gateway upstream mode for unified provider routing.
Details
Sold by
Categories
Delivery method
Supported services
Delivery option
ECS Fargate Quick Start
Latest version
Operating system
Linux
Deployed on AWS
New
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
Pricing
Pricing is based on the duration and terms of your contract with the vendor. This entitles you to a specified quantity of use for the contract duration. If you choose not to renew or replace your contract before it ends, access to these entitlements will expire.
Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator to estimate your infrastructure costs.
Dimension | Description | Cost/month |
|---|---|---|
Aegis Data Shield Starter | Self-hosted PII redaction for small teams. Built-in detectors, redacted audit, 1 upstream gateway, email support. | $200.00 |
Aegis Data Shield Professional | Compliance layer for growing teams. PHI detectors, custom regex policies, compliance reports, streaming scan, 48-hour support. | $500.00 |
Aegis Data Shield Business | Enterprise LLM data protection. Unlimited policies, priority support, production deployment guidance, audit export. | $800.00 |
Vendor refund policy
Emdrtc offers a 30-day money-back guarantee on first-time Aegis Data Shield subscriptions purchased through AWS Marketplace. Refund requests must be submitted within 30 days of the initial purchase date. Refunds are not available for renewals or private offers already discounted. Email support@emdrtc.com with your AWS account ID, subscription ID, purchase date, and reason. We respond within 5 business days.
Legal
Vendor terms and conditions
Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .
Content disclaimer
Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.
Delivery details
ECS Fargate Quick Start
Supported services: Learn more
- Amazon ECS
- Amazon EKS
Container image
Containers are lightweight, portable execution environments that wrap server application software in a filesystem that includes everything it needs to run. Container applications run on supported container runtimes and orchestration services, such as Amazon Elastic Container Service (Amazon ECS) or Amazon Elastic Kubernetes Service (Amazon EKS). Both eliminate the need for you to install and operate your own container orchestration software by managing and scheduling containers on a scalable cluster of virtual machines.
Version release notes
Initial public release of Aegis Data Shield on AWS Marketplace.
NEW IN 1.0.0
- PII detection: SSN, credit card, email, phone, and more
- PHI detection: medical record numbers, NPI, ICD codes
- Custom regex detection policies
- Input and output scanning including streaming responses
- Block or redact modes with configurable placeholders
- OpenAI-compatible /v1/chat/completions gateway API
- Redacted audit log (never stores raw sensitive payloads)
- SOC2 and HIPAA-style compliance reports
- Aegis upstream mode (SHIELD_UPSTREAM_MODE=aegis) or direct provider mode
- Admin web UI for policies, API keys, audit, and reports
- Single-container deployment on Amazon ECS Fargate, ECS, EC2, or Docker
- Health endpoints: GET /healthz and GET /readyz
- Amazon RDS PostgreSQL (buyer-provisioned)
- Included CloudFormation quick-start (ECS Fargate, ALB, CloudWatch Logs)
DEPLOYMENT
Subscribe, provision RDS, deploy CloudFormation template, set SHIELD_AEGIS_URL to your Aegis gateway, create a Shield API key, and point applications at the Shield endpoint.
UPGRADE PATH
Future versions use the same RDS database. SHIELD_MIGRATE_ON_START=true (default) runs schema migrations automatically.
Additional details
Usage instructions
Aegis Data Shield: PII/PHI scan and redact for LLM APIs. OpenAI-compatible /v1/chat/completions on port 8080. RDS PostgreSQL required. Docs: https://www.emdrtc.com/docs#data-shield . Billing: AWS Marketplace only.
PREREQUISITES
- Active Marketplace subscription.
- AWS CLI v2; ECS Fargate or Docker.
- RDS PostgreSQL 16+; Aegis Gateway recommended in same VPC.
- VPC: public ALB subnets, private task subnets.
- SG: ALB 443; ALB to task 8080; task to RDS 5432; task to Aegis 8080.
IMAGE: 709825985650.dkr.ecr.us-east-1.amazonaws.com/emdrtc/shield:1.0.0 CFN: https://www.emdrtc.com/templates/data-shield-fargate.yaml COMPOSE: https://www.emdrtc.com/templates/data-shield-docker-compose.yml
STEP 1 PULL
export AWS_REGION=us-east-1 IMAGE_URI=709825985650.dkr.ecr.us-east-1.amazonaws.com/emdrtc/shield:1.0.0 aws ecr get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin $(echo $IMAGE_URI | cut -d/ -f1) docker pull $IMAGE_URI
STEP 2A DOCKER
curl -O https://www.emdrtc.com/templates/data-shield-docker-compose.yml docker compose -f data-shield-docker-compose.yml up -d Set SHIELD_AEGIS_URL to Aegis base URL.
STEP 2B FARGATE
CloudFormation Create stack with data-shield-fargate.yaml. Set ImageURI, DatabaseURL, AdminEmail, AdminPassword, JWTSecret, UpstreamMode=aegis, AegisURL, VpcId, subnets. Open LoadBalancerDNS. ALB health: GET /readyz:8080. Logs: /ecs/aegis-data-shield.
STEP 3 VERIFY
HOST=http://ALB_DNS curl -s $HOST/readyz curl -s -o /dev/null -w "%{http_code}" $HOST/healthz aws logs tail /ecs/aegis-data-shield --follow
STEP 4 API KEY
JWT=$(curl -s -X POST $HOST/api/v1/auth/login -H "Content-Type: application/json" -d '{"email":"admin@example.com ","password":"PASS"}' | jq -r .token) KEY=$(curl -s -X POST $HOST/api/v1/keys -H "Authorization: Bearer $JWT" -H "Content-Type: application/json" -d '{"name":"prod"}' | jq -r .key) Save shield_sk_ key.
STEP 5 PROXY TEST
curl -s $HOST/v1/chat/completions -H "Authorization: Bearer $KEY" -H "x-provider: openai" -H "x-model: gpt-4o-mini" -H "Content-Type: application/json" -d '{"messages":[{"role":"user","content":"SSN 123-45-6789"}]}' Expect redact or block. Audit stores redacted payloads only.
STEP 6 POLICIES
GET /api/v1/policies, /api/v1/compliance/soc2, /api/v1/compliance/hipaa (JWT). Point apps at $HOST/v1/chat/completions with shield_sk_ key. Topology: App -> Shield -> Aegis -> provider.
STEP 7 MONITOR
CloudWatch: ECS RunningTaskCount, CPU, Memory; ALB UnHealthyHostCount, 5xx. GET /api/v1/overview for scans_today. Probe /readyz every 60s. Upgrade: new tag, force deploy, keep RDS.
ENV: DATABASE_URL, SHIELD_JWT_SECRET required. SHIELD_UPSTREAM_MODE=aegis, SHIELD_AEGIS_URL. Direct mode: SHIELD_OPENAI_API_KEY.
API: /healthz /readyz /v1/chat/completions /api/v1/redact /api/v1/auth/login /api/v1/audit /api/v1/compliance/soc2
TROUBLESHOOTING
ECR denied: subscription + login. readyz 503: DATABASE_URL. Upstream fail: SHIELD_AEGIS_URL, Aegis health.
SUPPORT: support@emdrtc.com | DOCS: https://www.emdrtc.com/docs#data-shield
Support
Vendor support
Emdrtc provides email support for Aegis Data Shield subscribers.
Support email: support@emdrtc.com Documentation: https://emdrtc.com/docs
Privacy policy: https://emdrtc.com/privacy
Support scope:
- Deployment assistance (ECS, ALB, RDS, CloudFormation)
- Aegis gateway upstream configuration
- Detection policy and custom regex setup
- Compliance report generation
- Upgrade and troubleshooting (/healthz, /readyz)
Response times:
- Professional and Business tiers: email within 2 business days
- Business tier critical outages: best-effort within 24 hours
Not included:
- Legal compliance certification or attestation
- Aegis AI Gateway or SpendOps support (separate listings)
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.
Similar products
Through Aegis, apiphani offers supplemental support for RISE with SAP Private Cloud Edition (PCE) estates to address those services not covered by the base contract with SAP. These services include HANA configuration, HANA architecture, and HANA performance tuning, BTP Integration Suite development and support, BTP application Development and Automation, Functional Support, and SAP security role design and maintenance.
Track LLM spend by team, project, and customer with budgets, anomaly alerts, and CSV export - self-hosted FinOps for the Aegis AI Gateway in your VPC. Aegis SpendOps from Emdrtc scrapes Aegis Prometheus metrics and optional usage_events, applies a model pricing catalog, and rolls up cost in a web dashboard. Set budgets per allocation dimension, get alerted on spend spikes, and export data for finance. No per-seat SaaS dependency - your cost data stays in your AWS account. Deploy on Amazon ECS Fargate in minutes with included CloudFormation templates. Pairs with Aegis AI Gateway and Aegis Data Shield for a complete LLM control plane.
A 2-week engagement to audit your infrastructure observability gaps, reduce alert noise, and build a roadmap for AI-driven incident response.
Aegis CX is a managed service for Amazon Connect contact centers, providing 24/7 monitoring, configuration management, and performance optimization. Designed for AWS-native environments, Aegis CX helps organizations improve customer experience, reduce downtime, and evolve their cloud contact center with support from IVI’s certified Amazon Connect engineering team. This co-managed service accelerates CX innovation through expert guidance, ongoing tuning, and full-stack visibility across voice, IVR, and routing workflows.
Customer reviews
No customer reviews yet
Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.