Discover how to build AI-augmented applications with enterprise-grade security

IT leaders want AI that moves the needle without blowing up risk, cost, or changing control. Your teams need a path to productize AI features on top of existing apps, connect safely to external models, and satisfy audit requirements without slowing delivery. Those are the core buying criteria we hear from IT middle management: buy over build, predictable outcomes, and a strong compliance posture.

Upsun is a cloud application platform that pairs Git-driven configuration with production-grade preview environments and integrated guardrails, allowing you to deliver AI features quickly while maintaining control. It supports AI-augmented applications and agent workflows, providing AI tools with structured, real-time context through RAG capabilities.

What you can build on Upsun today

• AI-augmented applications with your choice of external model APIs. Upsun supports integration with any LLM service that provides an HTTP API, including OpenAI, Mistral, Claude, Gemini, or DeepSeek.¹
• RAG architecture to ground model output in your domain data, improving accuracy and reducing hallucinations.² ³ Upsun supports a wide range of vector databases to embed and store your content.
• MCP-powered development where Copilot, Claude, and other assistants query MCP servers you host on Upsun to pull live configuration or data, then propose changes aligned to your platform standards.⁴ ⁵ ⁶

Important note on compute: Upsun does not provide GPUs by default. You leverage your application and data on Upsun while connecting to external model endpoints or GPU-augmented servers for training or inference via standard HTTP APIs. See How to deploy AI.

Enterprise-grade security without the slowdown

Security is table stakes. The average global cost of a data breach was USD 4.88 million in 2024, and IBM’s 2025 report shows a decline to USD 4.44 million for organizations accelerating detection and containment with AI.⁷ ⁸ That is still expensive, so guardrails matter.

Here is how Upsun helps:

• Git-driven YAML config. Your infrastructure, services, and routes live in a single, reviewable config.yaml, versioned alongside code. See 'Configure your project and YAML structure' in the documentation. ¹⁰ ¹¹
• Automatic preview environments per Git branch. Each branch gets a live, production-grade environment that can inherit data and services from the parent, so changes are validated against realistic conditions before merging. ¹² ¹³
• Instant data cloning with sanitization. Clone data down for tests while removing PII using built-in sanitization workflows for MariaDB and PostgreSQL. ¹⁴ ¹⁵
• Access controls and MFA. Enforce multifactor authentication across your org and manage least-privilege access per project through the CLI and Console. ¹⁶ ¹⁷
• Observability and APM. Integrated profiling and application metrics enable you to measure performance at every stage of the lifecycle. ¹⁸ ¹⁹
• Compliance-ready posture. Refer to the Security and Compliance documentation and Trust Center references for certifications, including SOC 2, PCI DSS Level 1, and ISO 27001.²⁰ ²¹

These guardrails align with recognized frameworks. NIST’s AI Risk Management Framework emphasizes governance, measurement, and operational controls across the AI lifecycle, while the EU AI Act begins phased obligations between 2025 and 2026.²² ²³

Reference architecture: secure RAG and MCP on Upsun

This example shows a minimal setup that connects an API service to an external model endpoint, provisions a managed Postgres database for your embeddings store, and runs an optional MCP server that developer tools can query.

.upsun/config.yaml

applications:

  api:

    type: "python:3.11"

    relationships:

      db: "postgresql:postgres"

    variables:

      env:

        MODEL_BASE_URL: "https://api.openai.com"

        OPENAI_API_KEY: "@@OPENAI_API_KEY"   # stored as a secret variable

    web:

      commands:

        start: "uvicorn app:app --host 0.0.0.0 --port $PORT"


 

  mcp:

    type: "nodejs:18"

    web:

      commands:

        start: "node server.js"              # your MCP server for code assistants


 

services:

  postgresql:

    type: "postgresql:15"


 

routes:

  "https://{default}/":

    type: upstream

    upstream: "api:http"

• Learn how to configure projects and routes. ¹⁰ ²⁴
• Host AI agents and MCP servers on Upsun. ²⁵ ²⁶
• Connect to any external LLM over HTTP. ²⁷

Data handling best practices

• Use preview environments tied to feature branches and clone data selectively for test realism. ¹² ¹³
• Apply sanitization jobs so no reviewer or agent sees raw PII. ¹⁴ ¹⁵
• Enforce MFA at the organization level and use least-privilege roles for automation tokens. ¹⁶ ¹⁷
• Instrument your services to capture metrics, traces, and profiles to detect regressions early. ¹⁸ ¹⁹

Why this approach converts pilots into production

• Speed and quality. Git-native config and per-branch previews shorten feedback loops and reduce the “works on my machine” risk. ¹² ¹³
• Consistency at scale. One YAML and a predictable platform means you codify best practices once for every team.¹¹
• Reduced toil. Managed services, automated cloning, and integrated observability cut manual glue work. ¹⁸ ¹⁹
• Predictable cost and compliance. Upsun centralizes controls and supports enterprise certifications, helping you meet obligations while keeping focus on feature delivery. ²⁰ ²¹

Proof points you can take to the board

• Generative AI adoption is real: 65 percent of organizations were already using gen AI regularly in early 2024.²
• RAG improves robustness by grounding outputs in current, relevant data and is the dominant pattern for enterprise AI apps.³
• The EU AI Act is now in effect, with its obligations phasing in from 2025.²³
• Breach costs remain material even as detection improves, reinforcing the need for strong guardrails when connecting to external AI services.⁷ ⁸

Where to go next

• Explore Security and compliance in the docs. ²⁰
• Review Preview environments and data cloning tutorials. ²⁸
• Try RAG on Upsun with a guided example. ²⁹ 

AI-augmented applications and enterprise security are not at odds. Upsun gives your teams the building blocks to connect to external models safely, validate changes against production-like data, and ship with confidence.

Sources

1. How to deploy AI (Upsun Docs)
2. The state of AI in early 2024 (McKinsey)
3. Retrieval-Augmented Generation for AI-Generated Content: A Survey (arXiv, 2024)
4. MCP specification (Modelcontextprotocol)
5. Use MCP servers in VS Code (Microsoft)
6. Host MCP servers on Upsun (Upsun Docs)
7. IBM newsroom: 2024 average breach cost USD 4.88M
8. IBM Think: 2025 breach cost declined to USD 4.44M
9. Security and compliance (Upsun Docs)
10. Configure your project (Upsun Docs)
11. YAML structure (Upsun Docs)
12. Environments tied to Git branches (Upsun Docs)
13. Clone data from parent on create (Upsun Docs)
14. Sanitize databases overview (Upsun Docs)
15. Sanitize Postgres and MariaDB examples (Upsun Docs)
16. Enforce MFA announcement (Upsun Blog) 
17. Multifactor Authentication (Upsun Docs) 
18. Increase observability (Upsun Docs) 
19. Blackfire for PHP and Python (Upsun Docs) 
20. Security and compliance statement with Trust Center link (Upsun Docs) 
21. Automate compliance claims (Upsun)
22. NIST AI Risk Management Framework (overview) 
23. EU Parliament brief: AI Act implementation timeline (2025) 
24. Define routes (Upsun Docs)
25. Host AI agents on Upsun (Upsun Docs) 
26. Host MCP servers on Upsun (Upsun Docs) 
27. Upsun AI overview: integrate any LLM over HTTP (Upsun Docs) 
28. Preview environments deep dive (Upsun Developer Center) 
29. Experiment with Chainlit and RAG on Upsun (Upsun Developer Center)