Architecture USP · AI sovereignty
AI features in EMS don't run through our vendor account. Every tenant configures their own LLM endpoint and API key — Azure OpenAI in an EU West datacenter, Mistral AI in Paris, or a self-hosted model on your own GPU cluster. The LiteLLM proxy unifies the API. With a custom endpoint, the rule is: hard-fail instead of silent fallback — data control stays with you, even on failure.
Anatomy
"BYO-LLM" is a checkbox in many SaaS settings — for us it's an architecture principle carried through from the tenant setting to the inference layer.
Every tenant decides in their AI settings: default proxy, or their own endpoint with their own API key. With a custom endpoint, the vendor never sees the prompts or responses.
endpointUrlapiKey (verschlüsselt)fallbackToGlobalProxy: falseOne unified, OpenAI-compatible API in front of every provider. Switching from OpenAI to Mistral or Ollama is a config change, not a code change in EMS.
If your custom endpoint goes down, the system rejects the request — it doesn't quietly reroute to the global vendor account. Data control stays intact, even in failure mode.
if (tenant.hasCustomEndpoint && !ok)throw new InferenceUnavailableException();// kein Fallback. Kein „opportunistisches" Routing.Each editor ships its own JSON schema, generated from the TypeScript model. The LLM literally cannot return fields the editor doesn't know — no hallucination, no format break.
structuredOutput: truetoolCalling: truecapabilityCheck pro ModellA dashboard bar in the tenant settings shows tokens spent and live cost — broken down per feature. No hidden "AI credits", no surprise on the monthly invoice.
tokens.in · tokens.outcost.eur liveaiFeature-AufschlüsselungScenario 1 · Data sovereignty
A law firm bound by attorney-client privilege cannot send client data to third-party LLMs without a data processing agreement. They deploy Azure OpenAI in EU West (Sweden), create their own service principal with their own API key — and configure it in their EMS tenant's AI settings.
From the next click on "AI Paste" or "Improve with AI", every request runs exclusively against their own Azure tenancy. The vendor (Consiliari) has no access to prompts, no logs, no token counters. The GDPR data-protection impact assessment now addresses only one data processor — Azure EU — instead of a provider chain.
Scenario 2 · Air-gap
A research institute runs EMS in an isolated network with no internet — typical for pharma and defense research. Instead of reaching out to an external LLM, the LiteLLM proxy points at an internal Ollama endpoint running Llama 3.3 70B on their own GPU cluster.
AI Paste, AI Grid Filter and Text Enhancement keep working — just against your model. Not one bit of research data leaves the network. No black-box cloud. No monthly token invoice.
Scenario 3 · Model routing
Not every AI feature needs the most expensive model. AI Paste with PDF upload needs vision capability — so GPT-5.5. Text Enhancement benefits from Claude Sonnet for more natural tone. AI Grid Filter is a fast, simple tool-calling task — a local 8B model is enough.
Configurable per tenant and per feature. The capability check prevents mistakes: pick an older model without tool calling for AI Paste, and you get a clear error — not a hallucinated reply.
Scenario 4 · EU AI Act
AI features default to off per tenant. Activation is a deliberate tenant decision — not a silent vendor update. Each individual feature has its own switch. Token use and cost show up live in the settings, broken down by feature.
No autonomous model decision affects entries, hourly rates or approvals — AI only pre-fills fields and drafts text. The right to override and the audit log remain fully intact.
Comparison
Most SaaS AI features run through one central vendor account — Salesforce Einstein, HubSpot Breeze, Personio AI. Your data flows under their provider contract, in their region, under their model-swap policy. Our approach is different.
| Dimension | Temporalis EMS | Vendor-bound suites |
|---|---|---|
| LLM provider choice | OpenAI · Azure · Anthropic · Mistral · Ollama · LocalAI · your own OpenAI-compatible API | fixed by the vendor — usually OpenAI behind the curtain |
| API key ownership | tenant configures their own key | vendor account, tenant pays for "AI credits" |
| Self-hosted option | Ollama, vLLM, LocalAI — air-gap possible | not supported, cloud enforced |
| Custom endpoint failure | hard-fail (data control retained) | irrelevant — no custom endpoint possible |
| Schema enforcement (tool calling) | in 10 editors · schema generated from TS model | partly free text, partly templates, rarely tool calling |
| Model per feature | each AI feature picks its own model | one model for every feature |
| Token transparency | live in tenant settings · per feature | "AI credit" bundles, no real-time view |
| Per-feature off switch | every AI mode independently switchable | global "AI on/off" or nothing at all |
Try free for 14 days, plug in your own key, trigger the hard-fail behaviour yourself. No credit card, no sales call.