EU-HOSTED  ·  GDPR-NATIVE  ·  ENFORCED AT RUNTIME

The control plane for enterprise AI.

AI gateway, policy engine, MCP supply-chain protection, real-time DLP and cost control — consolidated into one auditable control plane that sees and governs every AI request as it happens.

FinlandBuilt in Helsinki for regulated European enterprises — no US Cloud Act exposure.

Governing every model your teams already use

OpenAI
OpenAI
Anthropic
Anthropic
Gemini
Gemini
Mistral
Mistral
Copilot
Copilot
Perplexity
Perplexity
Why it matters
Every prompt your team sends is a data-egress event. Roder is the only place you see them all — and the only place you can stop one.
Roder
The Roder thesisRuntime control over every AI principal
The unified platform

Everything you need to govern AI at scale.

Write a rule once — it protects every team, every model and every request, from a single control plane.

01

AI Gateway

Every request from every model — chat, agents and MCP tool calls — routed through one inline enforcement point, so nothing reaches a provider unseen or unlogged.

02

Policy Engine

Composable CEL policies evaluated at runtime, versioned and testable, so the same rule protects every team and every model without a single code change.

03

Real-time DLP

PII, secrets and source code detected and redacted in flight — on every prompt and every response — before a single token crosses your perimeter.

04

MCP Protection

Trust graphs and lethal-trifecta detection across every Model Context Protocol server your agents reach, with policy enforced on each individual tool call.

05

Agent & MCP Security

Access certifications and the full lifecycle for every principal — human and non-human — with periodic reviews, attestations and one-click revocation.

06

Cost & Budgets

Per-team token attribution, hard ceilings and a throttle mode that keeps enforcement running even after the budget is spent — security never lapses.

Connect everything

One platform, every model and tool.

Route 2,000+ models and 500+ MCP servers & tools — OpenAI, Anthropic, Gemini, Mistral and any OpenAI-compatible endpoint — through a single control plane.

One gateway for every model and tool you run
2,000+ models · 500+ tools
Sovereign by design

100% EU-hosted.
No US Cloud Act exposure.

Built and operated in Finland, deployable as EU-hosted SaaS or fully on-premise — engineered against the regulations your auditors actually ask about.

EU
Roder AI Oy · Helsinki, Finland · EU data residency
Engineered against
GDPREU AI ActDORANIS2EHDSCRAeIDAS 2.0ISO 27001ISO 42001SOC 2 Type II

Frequently Asked Questions

Everything you need to know about the Roder control plane.

What exactly is Roder?+
Roder is a single control plane for enterprise AI. It consolidates an AI gateway, policy engine, MCP supply-chain protection, real-time DLP and cost attribution into one auditable system — deployed as EU-hosted SaaS or fully on-premise.
How is this different from a CASB or an API gateway?+
A CASB sees network metadata; an API gateway routes traffic. Roder understands AI semantics — prompts, responses, tokens, MCP tool calls and the principals behind them — and enforces policy on the content itself, in real time, with a compliance-grade audit trail.
Where is my data hosted?+
In the EU, always. Roder runs entirely on European infrastructure with no US Cloud Act exposure, and can be deployed on-premise inside your own perimeter. The company is Finnish and operated from Helsinki.
How long does it take to deploy?+
Under an hour to a first EU-hosted trial. Point your AI traffic at the gateway and requests, principals and policy decisions start appearing immediately — no agents to install on every endpoint.
Which models and tools does Roder support?+
OpenAI, Anthropic, Google Gemini, Mistral, Microsoft Copilot, Perplexity and any OpenAI-compatible endpoint — over 2,000 models — plus 500+ MCP servers and tools your agents connect to. New providers route through the same gateway with no code change.
Does Roder help with the EU AI Act?+
Yes. Roder ships compliance packs that map its controls to the EU AI Act, GDPR, DORA and NIS2, backed by an immutable seven-year audit trail — so the evidence your auditors ask for is already there when enforcement begins in August 2026.

Take back control of your AI.

Spin up an EU-hosted trial in under an hour, or talk to the team that built it. Either way, you'll see every request by the end of the day.

PrivacyEffective 31 May 2026

Privacy Policy

How Roder collects, uses and protects personal data. Written to be read, not just filed.

Roder OyHelsinki, Finland
← Back to roder.ai
In plain English

We are a Finnish company and we host everything in the EU. We collect the minimum we need to run the platform and talk to customers, we never sell your data, and you can ask us to show or delete what we hold at any time by emailing compliance@roder.ai.

1. Who we are

Roder Oy is the data controller for roder.ai and the Roder AI security platform. We are headquartered in Helsinki, Finland, with operations in Sweden. All production infrastructure runs in the EU.

2. Data we collect

We keep this list short on purpose. We collect what we need to run the service, support customers and meet our legal duties, and nothing we cannot justify.

Visitor data
From the website
Examples
Truncated IP address, browser type, pages viewed and referrer URL, for security and analytics.
Prospect and customer contact
When you reach out
Examples
Name, work email, company, role, country and what you sent us in a form.
Account data
When you sign in
Examples
Authentication identifiers, SSO claims and admin audit logs.
Service data
Through the gateway
Examples
Request metadata processed by the Roder gateway, with retention you control.
Billing data
When you pay
Examples
Company name, VAT or business ID and a billing contact. Card details are handled only by a PCI-compliant payment processor, never by us.

3. Why we process it, and our legal basis

  • Contract (Art. 6(1)(b)). Delivering the platform, supporting customers and billing.
  • Legitimate interests (Art. 6(1)(f)). Security, fraud prevention, product analytics and business-to-business outreach.
  • Legal obligation (Art. 6(1)(c)). Accounting, tax and regulatory reporting.
  • Consent (Art. 6(1)(a)). Newsletter sign-ups and optional cookies, which you can withdraw at any time.

4. Sharing and sub-processors

We share data only with the processors we need to run the service: EU cloud hosting, email, observability and authentication providers, plus Snitcher (Snitcher BV) for first-party website analytics. We never sell personal data or share it with advertising networks. The current sub-processor list is available from compliance@roder.ai.

5. International transfers

Production data stays in the EU and EEA. Where any limited transfer is unavoidable, we rely on the EU Standard Contractual Clauses with the additional safeguards required after the Schrems II ruling. Enterprise deployments can be configured EU-only.

6. How long we keep it

Visitor logs
Security telemetry
Retention
90 days.
Prospect data
From last contact
Retention
24 months from your last interaction.
Customer account data
Active accounts
Retention
The contract term plus 12 months.
Billing data
Tax requirement
Retention
6 years, as required by law. Earlier deletion is available on request where no legal duty applies.

7. Your rights

Under the GDPR you can ask us to give you access to your data, correct it, delete it, restrict or object to its use, or port it elsewhere. Email compliance@roder.ai and we will respond within one month. You can also complain to your supervisory authority, including the Office of the Data Protection Ombudsman in Finland or the IMY in Sweden.

8. Cookies

We use a small set of cookies, explained in full in our Cookies Policy. We do not use advertising or cross-site tracking cookies.

9. Security

We run a defence-in-depth security programme aligned to ISO 27001 and ISO 42001 and audited under SOC 2 Type II. Data is encrypted in transit with TLS 1.3 and at rest with AES-256, access is least-privilege, and activity is continuously logged. To report a vulnerability, see our security disclosure policy or email security@roder.ai.

10. Changes and contact

If we make a material change we will notify customers, and continued use of the service means you accept the updated policy.

Roder Oy

Helsinki, Finland
Privacy and data requests: compliance@roder.ai
Security: security@roder.ai

Questions about your data?

Talk to the team that runs the platform. We answer within one business day.