Skip to main content

Billing

Payment methods and payment histories are managed at the organization level.

How billing works at Pangea

Pangea uses a credit-based model where your organization maintains a U.S. dollar-denominated balance. Usage of Pangea services is deducted from this balance in real time as services are consumed. This pay-as-you-go model means you only pay for the services you use, for as long as you use them - no long-term contracts or complex licensing required.

Each service is priced based on the resources it uses. Most are billed per API call, while others include charges for compute or storage. Storage-related charges may be applied on a monthly, prorated basis. The exact amount deducted from your organization's balance depends on the pricing metrics defined for each service, as described in Pricing details per service section.

note

Pangea provides a $5 complimentary monthly balance to help you get started quickly. While it may seem not seem like much, Pangea's pricing model allows this credit to go a long way.

See Pangea Complimentary Deposits for more details.

The Billing page includes the following components:

  • Balance - A section where you can view your balance, and add funds and one-time payments
  • Auto-charge - A section where you can configure auto-charge payments
  • Payment methods - A section where you can add or remove credit cards
  • Deposit history - A table where you can review deposits on a monthly basis

Billing Page

Your balance at a glance

Your organization's balance is displayed in the top-right corner of the header in your Pangea Console instance. Click the balance to go to the Billing page.

Balance in Header

If your organization has a negative balance, that is also displayed in the top-right corner of the header. In addition, Pangea will show a notification to alert you about the negative balance.

Negative Balance

Making Deposits

All balances and payment methods are managed at the organization level and shared across all projects. Any project inside of an organization can draw from the organization balance. Check out the different types of deposits:

Pangea Complimentary Deposits

To help you get started, Pangea provides all organizations a $5 complimentary balance. In addition, Pangea will restore the $5 complimentary balance at the beginning of each month. However, complimentary deposits cannot accumulate month over month. This means if you use $2 of the complimentary balance in month 1, your beginning balance in month 2 will be restored to $5 via a $3 complimentary deposit. The complimentary balance restoration will not occur if your organization's balance is negative.

note

For information about when the $5 complimentary deposit occurs, visit the Billing Cycle and Monthly Charges section.

Auto-charge

tip

Pangea recommends that you set up Auto-charge for your production environments.

To avoid a negative balance, and potentially a service disruption, it is best to use the auto-charge feature. Pangea recommends that you set up Auto-charge for your production environments. Auto-charge allows you to automatically trigger a deposit from your credit card based on the organization balance reaching a user-defined level. The auto-charge amount is configurable and can be disabled at any time.

Manage Auto-charge

To set up auto-charge:

  1. Click Manage in the Auto-charge section of the Billing page
  2. Enter your credit card information into the Auto-charge dialog. When enabled, Auto-charge will charge the U.S. dollar amount specified in the Amount field, and will execute the auto-charge when the organization balance goes below the dollar amount specified in the When below field.
  3. Once set up, the Auto-charge screen will look something like the image below. The Auto-charge section displays your auto-charge configuration and the payment method you chose to configure auto-charge includes an “Auto-charge” label.

Determine an Auto-charge amount

tip

Pangea recommends a When Below amount equal to or greater than your average daily usage and an auto-charge amount equal to 30 days of usage (i.e. one month).

An easy way to determine auto-charge amounts and When Below thresholds is to review your usage on the Usage Page. You'll be able to see your average daily usage and usage trends, month over month. Pangea recommends a When Below amount equal to or greater than your average daily usage and an auto-charge amount equal to 30 days of usage (i.e. one month). This will ensure you always have enough balance to cover your usage while limiting credit card transactions to approximately 1 per month. Additionally, should something go wrong with your payment method, you'll have a day's worth of balance to cover you while you get it corrected.

For example, if average daily usage = $15, then:

  • Amount 30 x $15 = $450
  • When below = $15

See the image below for reference:

Dialog for Auto-charge

One-Time Payments

To add funds to your balance and make a one-time payment:

  1. Click + Funds in the Balance section of the Billing page
  2. Enter the funding amount and select a credit card to fund from
  3. Click Save. Your balance will be updated immediately.

Add a payment method

To add a payment method:

  1. Click + Payment Method on the Billing page
  2. Enter your credit card details into the Payment information dialog
  3. Once the credit card has been added, it will appear in the Payment method section of the Billing page

Delete a payment method

To delete a payment method:

  • Select the payment method you want to delete and click the remove icon

Delete a payment method

Billing Cycle and Monthly Charges

The billing cycle for all Pangea users, independent of your timezone, will be as follows:

  • Start of billing cycle = 12:00:00AM Pacific Time Zone on the first day of every month
  • End of billing cycle = 11:59:59PM Pacific Time Zone on the last day of every month

The timing of the billing cycle is relevant for:

  • allocation and charges associated with services utilized on a monthly basis (e.g. storage)
  • calculating the negative balance allowance
  • replenishment of complimentary credits

Negative Balances

If your applications are using Pangea services and consume the entire available balance, Pangea will allow a negative balance without a financial penalty. The overage is based on 10% of the current or prior month's API spend, whichever is greater. For example, if last month your organization consumed $100 in service utilization, and the $100 was funded through your organization's credit card, Pangea will permit service utilization up to a balance of -$10 (negative $10). Once the maximum negative allowance has been reached, the Pangea service availability will be suspended.

If your organization's balance is negative:

While any organization is in a negative balance, Pangea will not provide the $5 complimentary credit deposit. Once an organization's balance is restored to positive, the $5 complimentary deposit will resume on the next billing cycle.

tip

To avoid negative balances, Pangea recommends setting up Auto-charge

Pricing details per service

AI Guard

AI Guard has two pricing dimensions:

  • Data scanned (per KiB per request)
  • Additional services used

Each is explained below.

Data scanned

Each AI Guard request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB.

Additional services used in a recipe

  • AI Guard protection is configured through customizable recipes, each applying specific actions to different risks. Risk detection and response actions may rely on separate Pangea services integrated into the recipe.
  • AI Guard requires the Vault service to manage secrets and keys.
  • Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.

These dependencies result in additional credit usage, with costs determined by each service's billing policy.

See pricing details for the following services AI Guard may depend on:

Prompt Guard

Prompt Guard has two pricing dimensions:

  • Data scanned (per KiB per request)
  • Additional services used

Data scanned

Each Prompt Guard request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB.

Additional services used

  • Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.

This dependency results in additional credit usage, with costs determined by the Secure Audit Log billing policy:

Secure Audit Log

Secure Audit Log has four pricing dimensions:

  • Log ingestion
  • Audit history search
  • Data retention (hot, warm, and cold storage)
  • Log export
note

Log ingestion costs are separate from storage costs, but the retention tier determines how long logs are kept and where they're stored:

  • Hot storage - Optimized for performance and free to search
  • Warm storage - Optimized for cost and supports search
  • Cold storage - Archived and retrievable by request only

To configure your retention policy, see the Retention policy documentation.

Log ingestion

  • Billed in 1 MiB increments, starting with the first log ingested (the first byte triggers a charge for 1 MiB - the minimum billable unit)
  • Additional ingestion is tracked cumulatively, with a new charge applied only after the next full MiB is exceeded
  • Applies to events written via the /v1/log, /v2/log, and /v2/log_async API endpoints

For example, any ingestion activity up to 1 MiB in a given month results in a 1 MiB charge. Once total ingestion exceeds 1 MiB, a second 1 MiB charge is applied, and so on.

Explore Secure Audit Log APIs in the API Reference documentation.

  • Hot storage - Free to search
  • Warm storage - Billed per GiB searched, rounded up to the nearest GiB per API call. For example, if a query spans 1.8 GiB of warm storage data, it will be billed as 2 GiB.
  • Cold storage - Not searchable

Data retention

For example, if storage increases from 1.4 GiB to 1.8 GiB on day 15 of a 30-day month, a prorated charge for 16⁄30ths of the additional GiB is billed.

Log export

Export from hot or warm storage

You can export Secure Audit Log data retained in hot or warm storage using the /v1/export API endpoint.

  • Billed per GiB of exported data, rounded up to the nearest GiB, per day retained (in temporary storage)
  • Pricing includes 7 days of temporary storage by default
  • No charges for downloading exported data
  • Export usage is billed as a separate line item
  • A credit check is performed before export to confirm sufficient balance
Export from cold storage

Logs in cold storage cannot be searched directly or exported via Secure Audit Log APIs.

However, you can request a cold storage export as described in the Secure Audit Log documentation.

Pricing for cold storage export is handled on a case-by-case basis and may vary based on the specifics of the request.

Redact

Redact has one pricing dimension:

  • Data scanned (per KiB per request)

Data scanned

Each Redact API request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB per request.

Embargo

Embargo has one pricing dimension:

  • Requests

Requests

Each Embargo API request creates a billing event. There are no additional factors affecting the cost.

File Intel

File Intel has two pricing dimensions:

  • Requests
  • Providers

Request and provider

Each File Intel API request creates a billing event. The cost depends on the provider selected for the request.

See the Providers documentation to learn more about supported service providers.

IP Intel

IP Intel has two pricing dimensions:

  • Requests
  • Providers

Request and provider

Each IP Intel API request creates a billing event. The cost depends on the provider selected. Providers offer different capabilities and are therefore not interchangeable.

IP Intel includes multiple endpoints, each representing a sub-service:

  • Reputation (CrowdStrike and Cymru)
  • Geolocation (Digital Element)
  • VPN (Digital Element)
  • Proxy (Digital Element)
  • Domain (Digital Element)

See the Providers documentation to learn more about supported service providers.

Domain Intel

Domain Intel has two pricing dimensions:

  • Requests
  • Providers

Request and provider

Each Domain Intel API request creates a billing event. The cost depends on the provider selected for the request.

See the Providers documentation to learn more about supported service providers.

URL Intel

URL Intel has two pricing dimensions:

  • Requests
  • Providers

Request and provider

Each URL Intel API request creates a billing event. The cost depends on the provider selected for the request.

See the Providers documentation to learn more about supported service providers.

AuthN

AuthN has three pricing dimensions:

  • Monthly Active Users
  • Additional services used
  • User Flows where threat intel services are applied

Each is explained below.

Monthly Active Users

A Monthly Active User (MAU) is a user who authenticates at least once during a calendar month. If the user exits the flow before completing all authentication steps, they are not counted as a MAU. If a user logs in multiple times in the same month, they are still counted as a single MAU.

Additional services used

  • Within AuthN, you can optionally enable threat intel services in the User Registration and Authentication flows.
  • Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.

These dependencies result in additional credit usage, with costs determined by each service's billing policy.

See pricing details for each integration:

User flows

There are two User Flows within AuthN: User Registration and User Authentication.

In both flows, the enabled threat intel services run sequentially. If a request is blocked by one of the services, the flow exits early and no further services are executed. In that case, billing applies only to the checks completed before the rejection. If the request passes all checks, the flow completes and a billing event is generated for each service used in the flow.

Each user typically completes the User Registration flow once and the User Authentication flow each time they sign in.

Vault

The Vault service has three pricing dimensions:

  • Secret/Key retention
  • Secret/Key operations
  • Additional services used

Each is explained below.

Secret/Key operations

An operation is defined as one of the following endpoint calls:

  • Rotation (automated or manual)
    • /secret/rotate
    • /key/rotate
  • Signing or verifying signatures
    • /sign
    • /verify
    • /jwt/sign
    • /jwt/verify
  • Encryption or decryption
    • /encrypt
    • /decrypt
    • /encrypt_structured
    • /decrypt_structured
    • /encrypt_transform
    • /decrypt_transform
    • /encrypt_transform_structured
    • /decrypt_transform_structured

Each operation - whether performed through the Pangea User Console or via the API - creates a billing event.

Secret/Key retention

To accommodate short-lived key use cases, Pangea tracks the presence of secrets and keys on an hourly basis. An "hour" is defined as any presence within a clock hour (for example, 10:00:00 - 10:59:59).

Billing events are generated twice per hour by the Vault service. At each interval, the system records:

  • The number of secrets/keys created during that half-hour period
  • The number of secrets/keys that exist at the start of a new hour (a billing event is created for that total)

For example, a secret or key created at 10:55:30 and deleted at 11:15:30 will generate one billing event for the 10:00 hour and another for the 11:00 hour - for a total of two events.

Additional services used

  • Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.

This dependency results in additional credit usage, with costs determined by the Secure Audit Log billing policy:

User Intel

User Intel has two pricing dimensions:

  • Requests
  • Providers

Request and provider

Each User Intel API request creates a billing event. The cost depends on the provider selected for the request.

File Scan

File Scan has two pricing dimensions:

  • Requests
  • Providers

Request and provider

Each File Scan API request creates a billing event. The cost is based on the provider selected for the request.

Secure Share

The Secure Share service has three pricing dimensions:

  • Data transferred (per MiB transferred)
  • Data retention (per GiB/month)
  • Additional services used

Each is explained below.

Data transfer and retention

Additional services used

  • Secure Share scans files using the File Scan service before storing them.
  • Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.

These dependencies result in additional credit usage, with costs determined by each service's billing policy.

See pricing details for the following services Secure Share may depend on:

AuthZ

AuthZ has two pricing dimensions:

  • Monthly Active Subjects
  • Additional services used

Monthly Active Subjects

A Monthly Active Subject is any entity - such as a user, device, or service - that has its permissions checked at least once within a calendar month.

Additional services used

  • Enabling the Activity Log feature tracks service activity through integration with the Secure Audit Log service.

This dependency results in additional credit usage, with costs determined by the Secure Audit Log billing policy:

Sanitize

Sanitize has two pricing dimensions:

  • Data scanned (per KiB per request)
  • Additional services used

Each is explained below.

Data scanned

Each Sanitize request creates a billing event. The cost is based on the amount of data processed - rounded up to the nearest KiB - with a minimum of 1 KiB.

Additional services used

Sanitize can be integrated with other Pangea services to extend its functionality.

  • Sanitize requires the File Scan service, either directly or through integration with Secure Share.
  • Enabling the Redact Sensitive Information option uses the Redact service.
  • Sanitize can defang all URLs at no additional cost. However, when defanging is based on risk, it uses the URL Intel and/or Domain Intel services.
  • Sanitize can also process files stored in Secure Share.

Dependencies on other Pangea services result in additional credit usage, with costs determined by each service's billing policy.

See pricing details for the following services Sanitize may depend on:

Edge and Private Cloud

Pangea security services are available in three deployment models , offering flexibility to meet your infrastructure and compliance requirements:

  • Pangea SaaS - A fully hosted solution managed by Pangea, ideal for teams seeking a quick setup with no infrastructure management.
  • Edge - A hybrid model where Pangea's hosted control plane manages configurations, while data processing occurs within your cloud environment (AWS, Azure, or GCP).
  • Private Cloud - A fully self-managed deployment where both the data and control planes run within your infrastructure, enabling maximum control and isolation.

For detailed pricing on Edge and Private Cloud deployments, contact a Pangea representative at https://pangea.cloud/contact-us/ .

Was this article helpful?

Contact us