|
| 1 | +--- |
| 2 | +slug: enterprise |
| 3 | +title: 'Build with Sim for Enterprise' |
| 4 | +description: 'Access control, BYOK, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, Admin API, and flexible data retention—enterprise features for teams with strict security and compliance requirements.' |
| 5 | +date: 2026-01-23 |
| 6 | +updated: 2026-01-23 |
| 7 | +authors: |
| 8 | + - vik |
| 9 | +readingTime: 10 |
| 10 | +tags: [Enterprise, Security, Self-Hosted, SSO, SAML, Compliance, BYOK, Access Control, Copilot, Whitelabel, API, Import, Export] |
| 11 | +ogImage: /studio/enterprise/cover.png |
| 12 | +ogAlt: 'Sim Enterprise features overview' |
| 13 | +about: ['Enterprise Software', 'Security', 'Compliance', 'Self-Hosting'] |
| 14 | +timeRequired: PT10M |
| 15 | +canonical: https://sim.ai/studio/enterprise |
| 16 | +featured: false |
| 17 | +draft: true |
| 18 | +--- |
| 19 | + |
| 20 | +We've been working with security teams at larger organizations to bring Sim into environments with strict compliance and data handling requirements. This post covers the enterprise capabilities we've built: granular access control, bring-your-own-keys, self-hosted deployments, on-prem Copilot, SSO & SAML, whitelabeling, compliance, and programmatic management via the Admin API. |
| 21 | + |
| 22 | +## Access Control |
| 23 | + |
| 24 | + |
| 25 | + |
| 26 | +Permission groups let administrators control what features and integrations are available to different teams within an organization. This isn't just UI filtering—restrictions are enforced at the execution layer. |
| 27 | + |
| 28 | +### Model Provider Restrictions |
| 29 | + |
| 30 | + |
| 31 | + |
| 32 | +Allowlist specific providers while blocking others. Users in a restricted group see only approved providers in the model selector. A workflow that tries to use an unapproved provider won't execute. |
| 33 | + |
| 34 | +This is useful when you've approved certain providers for production use, negotiated enterprise agreements with specific vendors, or need to comply with data residency requirements that only certain providers meet. |
| 35 | + |
| 36 | +### Integration Controls |
| 37 | + |
| 38 | + |
| 39 | + |
| 40 | +Restrict which workflow blocks appear in the editor. Disable the HTTP block to prevent arbitrary external API calls. Block access to integrations that haven't completed your security review. |
| 41 | + |
| 42 | +### Platform Feature Toggles |
| 43 | + |
| 44 | + |
| 45 | + |
| 46 | +Control access to platform capabilities per permission group: |
| 47 | + |
| 48 | +- **[Knowledge Base](https://docs.sim.ai/blocks/knowledge)** — Disable document uploads if RAG workflows aren't approved |
| 49 | +- **[MCP Tools](https://docs.sim.ai/mcp)** — Block deployment of workflows as external tool endpoints |
| 50 | +- **Custom Tools** — Prevent creation of arbitrary HTTP integrations |
| 51 | +- **Invitations** — Disable self-service team invitations to maintain centralized control |
| 52 | + |
| 53 | +Users not assigned to any permission group have full access, so restrictions are opt-in per team rather than requiring you to grant permissions to everyone. |
| 54 | + |
| 55 | +--- |
| 56 | + |
| 57 | +## Bring Your Own Keys |
| 58 | + |
| 59 | + |
| 60 | + |
| 61 | +When you configure your own API keys for model providers—OpenAI, Anthropic, Google, Azure OpenAI, AWS Bedrock, or any supported provider—your prompts and completions route directly between Sim and that provider. The traffic doesn't pass through our infrastructure. |
| 62 | + |
| 63 | +This matters because LLM requests contain the context you've assembled: customer data, internal documents, proprietary business logic. With your own keys, you maintain a direct relationship with your model provider. Their data handling policies and compliance certifications apply to your usage without an intermediary. |
| 64 | + |
| 65 | +BYOK is available to everyone, not just enterprise plans. Connect your credentials in workspace settings, and all model calls use your keys. For self-hosted deployments, this is the default—there are no Sim-managed keys involved. |
| 66 | + |
| 67 | +A healthcare organization can use Azure OpenAI with their BAA-covered subscription. A financial services firm can route through their approved API gateway with additional logging controls. The workflow builder stays the same; only the underlying data flow changes. |
| 68 | + |
| 69 | +--- |
| 70 | + |
| 71 | +## Self-Hosted Deployments |
| 72 | + |
| 73 | + |
| 74 | + |
| 75 | +Run Sim entirely on your infrastructure. Deploy with [Docker Compose](https://docs.sim.ai/self-hosting/docker) or [Helm charts](https://docs.sim.ai/self-hosting/kubernetes) for Kubernetes—the application, WebSocket server, and PostgreSQL database all stay within your network. |
| 76 | + |
| 77 | +**Single-node** — Docker Compose setup for smaller teams getting started. |
| 78 | + |
| 79 | +**High availability** — Multi-replica Kubernetes deployments with horizontal pod autoscaling. |
| 80 | + |
| 81 | +**Air-gapped** — No external network access required. Pair with [Ollama](https://docs.sim.ai/self-hosting/ollama) or [vLLM](https://docs.sim.ai/self-hosting/vllm) for local model inference. |
| 82 | + |
| 83 | +Enterprise features like access control, SSO, and organization management are enabled through environment variables—no connection to our billing infrastructure required. |
| 84 | + |
| 85 | +--- |
| 86 | + |
| 87 | +## On-Prem Copilot |
| 88 | + |
| 89 | +Copilot—our context-aware AI assistant for building and debugging workflows—can run entirely within your self-hosted deployment using your own LLM keys. |
| 90 | + |
| 91 | +When you configure Copilot with your API credentials, all assistant interactions route directly to your chosen provider. The prompts Copilot generates—which include context from your workflows, execution logs, and workspace configuration—never leave your network. You get the same capabilities as the hosted version: natural language workflow generation, error diagnosis, documentation lookup, and iterative editing through diffs. |
| 92 | + |
| 93 | +This is particularly relevant for organizations where the context Copilot needs to be helpful is also the context that can't leave the building. Your workflow definitions, block configurations, and execution traces stay within your infrastructure even when you're asking Copilot for help debugging a failure or generating a new integration. |
| 94 | + |
| 95 | +--- |
| 96 | + |
| 97 | +## SSO & SAML |
| 98 | + |
| 99 | + |
| 100 | + |
| 101 | +Integrate with your existing identity provider through SAML 2.0 or OIDC. We support Okta, Azure AD (Entra ID), Google Workspace, OneLogin, Auth0, JumpCloud, Ping Identity, ADFS, and any compliant identity provider. |
| 102 | + |
| 103 | +Once enabled, users authenticate through your IdP instead of Sim credentials. Your MFA policies apply automatically. Session management ties to your IdP—logout there terminates Sim sessions. Account deprovisioning immediately revokes access. |
| 104 | + |
| 105 | +New users are provisioned on first SSO login based on IdP attributes. No invitation emails, no password setup, no manual account creation required. |
| 106 | + |
| 107 | +This centralizes your authentication and audit trail. Your security team's policies apply to Sim access through the same system that tracks everything else. |
| 108 | + |
| 109 | +--- |
| 110 | + |
| 111 | +## Whitelabeling |
| 112 | + |
| 113 | +Customize Sim's appearance to match your brand. For self-hosted deployments, whitelabeling is configured through environment variables—no code changes required. |
| 114 | + |
| 115 | +**Brand name & logo** — Replace "Sim" with your company name and logo throughout the interface. |
| 116 | + |
| 117 | +**Theme colors** — Set primary, accent, and background colors to align with your brand palette. |
| 118 | + |
| 119 | +**Support & documentation links** — Point help links to your internal documentation and support channels instead of ours. |
| 120 | + |
| 121 | +**Legal pages** — Redirect terms of service and privacy policy links to your own policies. |
| 122 | + |
| 123 | +This is useful for internal platforms, customer-facing deployments, or any scenario where you want Sim to feel like a native part of your product rather than a third-party tool. |
| 124 | + |
| 125 | +--- |
| 126 | + |
| 127 | +## Compliance & Data Retention |
| 128 | + |
| 129 | + |
| 130 | + |
| 131 | +Sim maintains **SOC 2 Type II** certification with annual audits covering security, availability, and confidentiality controls. We share our SOC 2 report directly with prospective customers under NDA. |
| 132 | + |
| 133 | +**HIPAA** — Business Associate Agreements available for healthcare organizations. Requires self-hosted deployment or dedicated infrastructure. |
| 134 | + |
| 135 | +**Data Retention** — Configure how long workflow execution traces, inputs, and outputs are stored before automatic deletion. We work with enterprise customers to set retention policies that match their compliance requirements. |
| 136 | + |
| 137 | +We provide penetration test reports, architecture documentation, and completed security questionnaires (SIG, CAIQ, and custom formats) for your vendor review process. |
| 138 | + |
| 139 | +--- |
| 140 | + |
| 141 | +## Admin API |
| 142 | + |
| 143 | +Manage Sim programmatically through the Admin API. Every operation available in the UI has a corresponding API endpoint, enabling infrastructure-as-code workflows and integration with your existing tooling. |
| 144 | + |
| 145 | +**User & Organization Management** — Provision users, create organizations, assign roles, and manage team membership. Integrate with your HR systems to automatically onboard and offboard employees. |
| 146 | + |
| 147 | +**Workspace Administration** — Create workspaces, configure settings, and manage access. Useful for setting up isolated environments for different teams or clients. |
| 148 | + |
| 149 | +**Workflow Lifecycle** — Deploy, undeploy, and manage workflow versions programmatically. Build CI/CD pipelines that promote workflows from development to staging to production. |
| 150 | + |
| 151 | +The API uses standard REST conventions with JSON payloads. Authentication is via API keys scoped to your organization. |
| 152 | + |
| 153 | +--- |
| 154 | + |
| 155 | +## Import & Export |
| 156 | + |
| 157 | +Move workflows between environments, create backups, and maintain version control inside or outside of Sim. |
| 158 | + |
| 159 | +**Workflow Export** — Export individual workflows or entire folders as JSON. The export includes block configurations, connections, environment variable references, and metadata. Use this to back up critical workflows or move them between Sim instances. |
| 160 | + |
| 161 | +**Workspace Export** — Export an entire workspace as a ZIP archive containing all workflows, folder structure, and configuration. Useful for disaster recovery or migrating to a self-hosted deployment. |
| 162 | + |
| 163 | +**Import** — Import workflows into any workspace. Sim handles ID remapping and validates the structure before import. This enables workflow templates, sharing between teams, and restoring from backups. |
| 164 | + |
| 165 | +**Version History** — Each deployment creates a version snapshot. Roll back to previous versions if a deployment causes issues. The Admin API exposes version history for integration with your change management processes. |
| 166 | + |
| 167 | +For teams practicing GitOps, export workflows to your repository and use the Admin API to deploy from CI/CD pipelines. |
| 168 | + |
| 169 | +--- |
| 170 | + |
| 171 | +## Get Started |
| 172 | + |
| 173 | +Enterprise features are available now. Check out our [self-hosting](https://docs.sim.ai/self-hosting) and [enterprise](https://docs.sim.ai/enterprise) docs to get started. |
| 174 | + |
| 175 | +*Questions about enterprise deployments?* |
| 176 | + |
| 177 | +<ContactButton href="https://form.typeform.com/to/jqCO12pF">Contact Us</ContactButton> |
0 commit comments