- Browser AI services (ChatGPT, Claude, Gemini…)
- Desktop AI applications
- Internal apps and enterprise tools
- In-house and configurable external agents
- API-based AI traffic
- Web application
- Workspace desktop app (macOS & Windows)
- Documents, images, and audio
- Built-in agent gateway
- Automatic routing to a suitable model per task
Same purpose, same architecture#
Both products exist for the same reason: detected sensitive data stays inside your perimeter while your organization uses external AI. And both share the same architecture — a self-hosted PII model masks values in-house before any provider call, and external models receive tokens only. What differs is whose application carries the AI traffic.
Salus Gateway — protect the AI you already run#
The Gateway is the protection layer for AI usage that already exists in your organization. Two lanes bring traffic to the engine:
- App/agent lane. Internal applications, services, and agents point their AI base URL at the Salus gateway. There is no TLS interception in this lane: the caller connects to Salus as a normal TLS endpoint, provider keys move into the gateway, and apps receive scoped virtual keys.
- Salus Desktop. The Gateway's endpoint agent for managed macOS and Windows devices, deployed via MDM. It captures employee browser and desktop AI traffic on the device and tunnels it to the central engine — on-network, remote, or roaming.
Together the two lanes cover managed devices, configured apps, and agents — browser AI, desktop AI, and API/agent traffic.
Salus Workspace — Salus's own AI client#
The Workspace is a first-party AI client: a secure web app and a native desktop chat app for macOS and Windows (the Workspace desktop app — a different product from Salus Desktop, which is the Gateway's endpoint agent). The engine is built into the application rather than placed in front of someone else's.
Every message is masked in-house by the self-hosted PII model before any provider call, then the app delegates each task to an external model suited to it — code, reasoning, research, and documents each route to a strong provider, with automatic fallback — and those models receive tokens only. The Workspace also handles documents, images, and audio with built-in anonymization, and includes an OpenAI-compatible gateway so your own agents can use the same mask → delegate → restore path.
Side by side#
| Salus Gateway | Salus Workspace | |
|---|---|---|
| What it is | Protection layer for existing AI apps and agents | Salus's own AI client (web + desktop) |
| Who carries the AI | The apps you already run | The Workspace app itself |
| How traffic is captured | App/agent lane (base URL) + Salus Desktop (MDM endpoint agent) | Native — protection is built into the client |
| Sign-in model | Machine identity (virtual keys) and device identity (MDM certificates) | SSO via your identity provider (OIDC/SAML) |
| File & media handling | Governs what configured apps send | Built-in document, image, and audio anonymization |
| Engine, vault, policy, audit | Shared — one control plane | Shared — one control plane |
One control plane#
Because both products run on the same engine, tokens are consistent across them, policy is written once, and every event — from a browser prompt to an agent API call to a Workspace chat — lands in the same token-only audit stream. Running both is the common pattern: the Gateway covers what exists, the Workspace gives teams a first-class client designed around protection.