Billing
Payment methods and payment histories are managed at the organization level.
How billing works at Pangea
Pangea uses a credit-based model where your organization maintains a U.S. dollar-denominated balance. Usage of Pangea services is deducted from this balance in real time as services are consumed. This pay-as-you-go model means you only pay for the services you use, for as long as you use them - no long-term contracts or complex licensing required.
Each service is priced based on the resources it uses. Most are billed per API call, while others include charges for compute or storage. Storage-related charges may be applied on a monthly, prorated basis. The exact amount deducted from your organization's balance depends on the pricing metrics defined for each service, as described in Pricing details per service section.
Pangea provides a $5 complimentary monthly balance to help you get started quickly. While it may seem not seem like much, Pangea's pricing model allows this credit to go a long way.
See Pangea Complimentary Deposits for more details.
The Billing page includes the following components:
- Balance - A section where you can view your balance, and add funds and one-time payments
- Auto-charge - A section where you can configure auto-charge payments
- Payment methods - A section where you can add or remove credit cards
- Deposit history - A table where you can review deposits on a monthly basis
Your balance at a glance
Your organization's balance is displayed in the top-right corner of the header in your Pangea Console instance. Click the balance to go to the Billing page.
If your organization has a negative balance, that is also displayed in the top-right corner of the header. In addition, Pangea will show a notification to alert you about the negative balance.
Making Deposits
All balances and payment methods are managed at the organization level and shared across all projects. Any project inside of an organization can draw from the organization balance. Check out the different types of deposits:
Pangea Complimentary Deposits
To help you get started, Pangea provides all organizations a $5 complimentary balance. In addition, Pangea will restore the $5 complimentary balance at the beginning of each month. However, complimentary deposits cannot accumulate month over month. This means if you use $2 of the complimentary balance in month 1, your beginning balance in month 2 will be restored to $5 via a $3 complimentary deposit. The complimentary balance restoration will not occur if your organization's balance is negative.
For information about when the $5 complimentary deposit occurs, visit the Billing Cycle and Monthly Charges section.
Auto-charge
Pangea recommends that you set up Auto-charge for your production environments.
To avoid a negative balance, and potentially a service disruption, it is best to use the auto-charge feature. Pangea recommends that you set up Auto-charge for your production environments. Auto-charge allows you to automatically trigger a deposit from your credit card based on the organization balance reaching a user-defined level. The auto-charge amount is configurable and can be disabled at any time.
Manage Auto-charge
To set up auto-charge:
- Click Manage in the Auto-charge section of the Billing page
- Enter your credit card information into the Auto-charge dialog. When enabled, Auto-charge will charge the U.S. dollar amount specified in the Amount field, and will execute the auto-charge when the organization balance goes below the dollar amount specified in the When below field.
- Once set up, the Auto-charge screen will look something like the image below. The Auto-charge section displays your auto-charge configuration and the payment method you chose to configure auto-charge includes an “Auto-charge” label.
Determine an Auto-charge amount
Pangea recommends a When Below amount equal to or greater than your average daily usage and an auto-charge amount equal to 30 days of usage (i.e. one month).
An easy way to determine auto-charge amounts and When Below thresholds is to review your usage on the Usage Page. You'll be able to see your average daily usage and usage trends, month over month. Pangea recommends a When Below amount equal to or greater than your average daily usage and an auto-charge amount equal to 30 days of usage (i.e. one month). This will ensure you always have enough balance to cover your usage while limiting credit card transactions to approximately 1 per month. Additionally, should something go wrong with your payment method, you'll have a day's worth of balance to cover you while you get it corrected.
For example, if average daily usage = $15, then:
- Amount 30 x $15 = $450
- When below = $15
See the image below for reference:
One-Time Payments
To add funds to your balance and make a one-time payment:
- Click + Funds in the Balance section of the Billing page
- Enter the funding amount and select a credit card to fund from
- Click Save. Your balance will be updated immediately.
Add a payment method
To add a payment method:
- Click + Payment Method on the Billing page
- Enter your credit card details into the Payment information dialog
- Once the credit card has been added, it will appear in the Payment method section of the Billing page
Delete a payment method
To delete a payment method:
- Select the payment method you want to delete and click the remove icon
Billing Cycle and Monthly Charges
The billing cycle for all Pangea users, independent of your timezone, will be as follows:
- Start of billing cycle = 12:00:00AM Pacific Time Zone on the first day of every month
- End of billing cycle = 11:59:59PM Pacific Time Zone on the last day of every month
The timing of the billing cycle is relevant for:
- allocation and charges associated with services utilized on a monthly basis (e.g. storage)
- calculating the negative balance allowance
- replenishment of complimentary credits
Negative Balances
If your applications are using Pangea services and consume the entire available balance, Pangea will allow a negative balance without a financial penalty. The overage is based on 10% of the current or prior month's API spend, whichever is greater. For example, if last month your organization consumed $100 in service utilization, and the $100 was funded through your organization's credit card, Pangea will permit service utilization up to a balance of -$10 (negative $10). Once the maximum negative allowance has been reached, the Pangea service availability will be suspended.
If your organization's balance is negative:
- Pangea will send you warnings and notifications in the Pangea Console
- Pangea will send frequent emails to your organization's admin
- Pangea wil persist with this messaging from the time the balance becomes negative and while the negative balance is carried
While any organization is in a negative balance, Pangea will not provide the $5 complimentary credit deposit. Once an organization's balance is restored to positive, the $5 complimentary deposit will resume on the next billing cycle.
To avoid negative balances, Pangea recommends setting up Auto-charge
Pricing details per service
AI Guard
AI Guard has two pricing dimensions:
- Data scanned (per KiB per request)
- Additional services used
Each is explained below.
Data scanned
Each AI Guard request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB.
Additional services used in a recipe
- AI Guard protection is configured through customizable
recipes
, each applying specific actions to different risks. Risk detection and response actions may rely on separate Pangea services integrated into the recipe. - AI Guard requires the Vault service to manage secrets and keys.
- Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.
These dependencies result in additional credit usage, with costs determined by each service's billing policy.
See pricing details for the following services AI Guard may depend on:
Prompt Guard
Prompt Guard has two pricing dimensions:
- Data scanned (per KiB per request)
- Additional services used
Data scanned
Each Prompt Guard request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB.
Additional services used
- Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.
This dependency results in additional credit usage, with costs determined by the Secure Audit Log billing policy:
Secure Audit Log
Secure Audit Log has four pricing dimensions:
- Log ingestion
- Audit history search
- Data retention (hot, warm, and cold storage)
- Log export
Log ingestion costs are separate from storage costs, but the retention tier determines how long logs are kept and where they're stored:
- Hot storage - Optimized for performance and free to search
- Warm storage - Optimized for cost and supports search
- Cold storage - Archived and retrievable by request only
To configure your retention policy, see the Retention policy documentation.
Log ingestion
- Billed in 1 MiB increments, starting with the first log ingested (the first byte triggers a charge for 1 MiB - the minimum billable unit)
- Additional ingestion is tracked cumulatively, with a new charge applied only after the next full MiB is exceeded
- Applies to events written via the
/v1/log
,/v2/log
, and/v2/log_async
API endpoints
For example, any ingestion activity up to 1 MiB in a given month results in a 1 MiB charge. Once total ingestion exceeds 1 MiB, a second 1 MiB charge is applied, and so on.
Explore Secure Audit Log APIs in the API Reference documentation.
Audit history search
- Hot storage - Free to search
- Warm storage - Billed per GiB searched, rounded up to the nearest GiB per API call. For example, if a query spans 1.8 GiB of warm storage data, it will be billed as 2 GiB.
- Cold storage - Not searchable
Data retention
- Tracked per audit schema (sometimes referred to as a configuration). Learn more about managing multiple audit schemas in the service documentation .
- Rounded up to the nearest GiB
- Prorated through the end of the month
- Measured every 8 hours (00:00, 08:00, and 16:00 UTC)
For example, if storage increases from 1.4 GiB to 1.8 GiB on day 15 of a 30-day month, a prorated charge for 16⁄30ths of the additional GiB is billed.
Log export
Export from hot or warm storage
You can export Secure Audit Log data retained in hot or warm storage using the /v1/export API endpoint.
- Billed per GiB of exported data, rounded up to the nearest GiB, per day retained (in temporary storage)
- Pricing includes 7 days of temporary storage by default
- No charges for downloading exported data
- Export usage is billed as a separate line item
- A credit check is performed before export to confirm sufficient balance
Export from cold storage
Logs in cold storage cannot be searched directly or exported via Secure Audit Log APIs.
However, you can request a cold storage export as described in the Secure Audit Log documentation.
Pricing for cold storage export is handled on a case-by-case basis and may vary based on the specifics of the request.
Redact
Redact has one pricing dimension:
- Data scanned (per KiB per request)
Data scanned
Each Redact API request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB per request.
Embargo
Embargo has one pricing dimension:
- Requests
Requests
Each Embargo API request creates a billing event. There are no additional factors affecting the cost.
File Intel
File Intel has two pricing dimensions:
- Requests
- Providers
Request and provider
Each File Intel API request creates a billing event. The cost depends on the provider selected for the request.
See the Providers documentation to learn more about supported service providers.
IP Intel
IP Intel has two pricing dimensions:
- Requests
- Providers
Request and provider
Each IP Intel API request creates a billing event. The cost depends on the provider selected. Providers offer different capabilities and are therefore not interchangeable.
IP Intel includes multiple endpoints, each representing a sub-service:
- Reputation (CrowdStrike and Cymru)
- Geolocation (Digital Element)
- VPN (Digital Element)
- Proxy (Digital Element)
- Domain (Digital Element)
See the Providers documentation to learn more about supported service providers.
Domain Intel
Domain Intel has two pricing dimensions:
- Requests
- Providers
Request and provider
Each Domain Intel API request creates a billing event. The cost depends on the provider selected for the request.
See the Providers documentation to learn more about supported service providers.
URL Intel
URL Intel has two pricing dimensions:
- Requests
- Providers
Request and provider
Each URL Intel API request creates a billing event. The cost depends on the provider selected for the request.
See the Providers documentation to learn more about supported service providers.
AuthN
AuthN has three pricing dimensions:
- Monthly Active Users
- Additional services used
- User Flows where threat intel services are applied
Each is explained below.
Monthly Active Users
A Monthly Active User (MAU) is a user who authenticates at least once during a calendar month. If the user exits the flow before completing all authentication steps, they are not counted as a MAU. If a user logs in multiple times in the same month, they are still counted as a single MAU.
Additional services used
- Within AuthN, you can optionally enable threat intel services in the User Registration and Authentication flows.
- Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.
These dependencies result in additional credit usage, with costs determined by each service's billing policy.
See pricing details for each integration:
User flows
There are two User Flows within AuthN: User Registration and User Authentication.
In both flows, the enabled threat intel services run sequentially. If a request is blocked by one of the services, the flow exits early and no further services are executed. In that case, billing applies only to the checks completed before the rejection. If the request passes all checks, the flow completes and a billing event is generated for each service used in the flow.
Each user typically completes the User Registration flow once and the User Authentication flow each time they sign in.
Vault
The Vault service has three pricing dimensions:
- Secret/Key retention
- Secret/Key operations
- Additional services used
Each is explained below.
Secret/Key operations
An operation is defined as one of the following endpoint calls:
- Rotation (automated or manual)
/secret/rotate
/key/rotate
- Signing or verifying signatures
/sign
/verify
/jwt/sign
/jwt/verify
- Encryption or decryption
/encrypt
/decrypt
/encrypt_structured
/decrypt_structured
/encrypt_transform
/decrypt_transform
/encrypt_transform_structured
/decrypt_transform_structured
Each operation - whether performed through the Pangea User Console or via the API - creates a billing event.
Secret/Key retention
To accommodate short-lived key use cases, Pangea tracks the presence of secrets and keys on an hourly basis. An "hour" is defined as any presence within a clock hour (for example, 10:00:00 - 10:59:59).
Billing events are generated twice per hour by the Vault service. At each interval, the system records:
- The number of secrets/keys created during that half-hour period
- The number of secrets/keys that exist at the start of a new hour (a billing event is created for that total)
For example, a secret or key created at 10:55:30 and deleted at 11:15:30 will generate one billing event for the 10:00 hour and another for the 11:00 hour - for a total of two events.
Additional services used
- Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.
This dependency results in additional credit usage, with costs determined by the Secure Audit Log billing policy:
User Intel
User Intel has two pricing dimensions:
- Requests
- Providers
Request and provider
Each User Intel API request creates a billing event. The cost depends on the provider selected for the request.
File Scan
File Scan has two pricing dimensions:
- Requests
- Providers
Request and provider
Each File Scan API request creates a billing event. The cost is based on the provider selected for the request.
Secure Share
The Secure Share service has three pricing dimensions:
- Data transferred (per MiB transferred)
- Data retention (per GiB/month)
- Additional services used
Each is explained below.
Data transfer and retention
Additional services used
- Secure Share scans files using the File Scan service before storing them.
- Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.
These dependencies result in additional credit usage, with costs determined by each service's billing policy.
See pricing details for the following services Secure Share may depend on:
AuthZ
AuthZ has two pricing dimensions:
- Monthly Active Subjects
- Additional services used
Monthly Active Subjects
A Monthly Active Subject is any entity - such as a user, device, or service - that has its permissions checked at least once within a calendar month.
Additional services used
- Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.
This dependency results in additional credit usage, with costs determined by the Secure Audit Log billing policy:
Sanitize
Sanitize has two pricing dimensions:
- Data scanned (per KiB per request)
- Additional services used
Each is explained below.
Data scanned
Each Sanitize request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB.
Additional services used
Sanitize can be integrated with other Pangea services to extend its functionality.
- Sanitize requires the File Scan service, either directly or through integration with Secure Share.
- Enabling the Redact Sensitive Information option uses the Redact service.
- Sanitize can defang all URLs at no additional cost. However, when defanging is based on risk, it uses the URL Intel and/or Domain Intel services.
- Sanitize can also process files stored in Secure Share.
Dependencies on other Pangea services result in additional credit usage, with costs determined by each service's billing policy.
See pricing details for the following services Sanitize may depend on:
Edge and Private Cloud
Pangea security services are available in three deployment models , offering flexibility to meet your infrastructure and compliance requirements:
- Pangea SaaS - A fully hosted solution managed by Pangea, ideal for teams seeking a quick setup with no infrastructure management.
- Edge - A hybrid model where Pangea's hosted control plane manages configurations, while data processing occurs within your cloud environment (AWS, Azure, or GCP).
- Private Cloud - A fully self-managed deployment where both the data and control planes run within your infrastructure, enabling maximum control and isolation.
For detailed pricing on Edge and Private Cloud deployments, contact a Pangea representative at https://pangea.cloud/contact-us/ .
Was this article helpful?