Cut your Claude bill — without PHI ever leaving your environment.
Health-tech teams can't route patient data through a third-party gateway. ModelPilot is built so it never has to: prompts, model outputs, and your API key never reach us.
What that means for your security & compliance review
- No PHI egress to ModelPilot. The sensitive data physically can't reach us — our endpoints even reject any payload that contains prompt/output/key fields (HTTP 422), as defense in depth.
- You keep your own Anthropic relationship. Requests go to Anthropic directly with your key; we're not in the path of your prompt content. Configure Anthropic's data terms (e.g. zero-retention) with them as you do today.
- Fail-open. If ModelPilot is ever unreachable, traffic passes straight through to Claude, unrouted — we can degrade savings, never your uptime or your data path.
- Auditable savings. Realized savings are measured against a held-out control arm with non-inferiority checks on your own traffic — a number you can defend internally.
The honest part on certifications
Our PHI-never-leaves-your-environment guarantee is a property of the architecture, verifiable in the (inspectable) client. We are not yet SOC-2 or HIPAA certified, and we won't claim what we don't hold. If you need a BAA, a security questionnaire, or our compliance roadmap, email us — we'll share exactly where we are. (See Security & trust.)
The economics
You pay only a share of the savings we actually deliver (20% pay-as-you-go; lower on subscription tiers) — no savings, no bill. For a team spending five or six figures a month on Claude, routing the easy requests to a cheaper-but-good-enough model adds up fast, with quality floors that keep your clinical-grade work on a capable model.