Enterprise with Droids
Factory’s enterprise platform is designed for the highest‑security customers—systemically important banks, governments, healthcare, national security, and other regulated organizations. Instead of forcing you into a single cloud IDE, Droid is a CLI and agent runtime that runs anywhere:- On developer laptops, in any terminal or IDE
- In CI/CD pipelines (GitHub, GitLab, internal runners)
- In VMs, Kubernetes clusters, and hardened devcontainers
- In fully airgapped environments with no outbound internet access
What this section covers
Use these pages together as your enterprise playbook for Droids:Identity & Access
How orgs, projects, folders, and users are identified; how SSO/SCIM and RBAC determine who can run Droid and with which permissions.
See Identity & Access Management.
Privacy & Data Flows
Exact data flows for code, prompts, and telemetry across cloud, hybrid, and fully airgapped deployments.
See Privacy, Data Flows & Governance.
Network & Deployment
Reference architectures for cloud‑managed, hybrid, and fully airgapped deployments, plus proxy and mTLS configuration.
See Network & Deployment Configuration.
LLM Safety & Controls
How Droid classifies command risk, enforces allow/deny lists, uses Droid Shield for secret scanning, and integrates hooks and sandboxes.
See LLM Safety & Agent Controls.
Models & Integrations
Hierarchical model allow/deny, LLM gateways, BYOK, MCP servers, droids, commands, and how Droid plugs into your existing AI stack.
See Models, LLM Gateways & Integrations.
Analytics & Compliance
OTEL‑native telemetry, analytics, audit logging, and how Factory supports SOC2, ISO 27001, ISO 42001 and internal regulatory reviews.
See Usage, Cost & Productivity Analytics and Compliance, Audit & Monitoring.
Enterprise foundations
Multi‑deployment by design
Factory supports three deployment patterns for Droid, all built on the same core binary and configuration model:- Cloud‑managed – Droid runs on developer machines and CI but uses Factory’s cloud for coordination and optional analytics. Models are either Factory‑brokered or brought by you.
- Hybrid enterprise – Droid runs entirely in your infrastructure (VMs, CI runners, containers), optionally connecting to Factory cloud for UX while all LLMs and telemetry terminate inside your network.
- Fully airgapped – Droid runs in a network with no outbound internet access. Models and OTEL collectors are hosted entirely inside this environment; Factory never receives traffic.
Hierarchical control, not per‑device drift
Enterprise policy is expressed through a hierarchical settings model:- Org → global defaults and hard security policies
- Project → repo‑level settings committed to
.factory/ - Folder → narrower team or subsystem overrides inside a repo
- User → personal preferences only where higher levels are silent
Defense‑in‑depth agent safety
LLMs are probabilistic; Factory treats them as powerful but untrusted components. Droid’s safety story combines:- Deterministic controls – command risk classification, allow/deny lists, file and repo protections, and sandbox boundaries
- Droid Shield – secret scanning and DLP‑style checks across prompts, files, and commands
- Hooks – programmable enforcement points (pre‑prompt, pre‑tool, pre‑command, pre‑git, post‑edit) to integrate with your own security systems
- Sandboxed runtimes – running Droid inside devcontainers and hardened VMs for high‑risk work
OTEL‑native observability
All serious enterprise deployments need to answer: “What are agents doing, where, and at what cost?” Droid emits OpenTelemetry metrics, traces, and logs so you can:- Send telemetry directly to existing collectors (Prometheus, Datadog, Splunk, Jaeger, etc.)
- Track sessions, LLM usage, code edits, tool invocations, and errors per org/team/user
- Correlate Droid activity with SDLC metrics you already use
Trust & compliance
Factory maintains a security and compliance posture suitable for the most demanding organizations:- SOC 2
- ISO 27001
- ISO 42001