Security

Transport encryption

Public traffic is served over HTTPS terminated at our reverse proxy. Internal upstream calls run over TLS to the providers. We do not run unencrypted HTTP on any user-facing endpoint.

Authentication

Account passwords and API keys never live in our database in plaintext:

• Passwords are stored as Argon2id hashes with per-user salts.
• API keys are stored as SHA-256 hashes; the plaintext key is shown to you once at creation and never again.
• Refresh tokens rotate on every refresh and are revoked centrally in Redis on sign-out.

Tenant isolation

Every admin endpoint enforces tenant scoping at both the middleware layer and the SQL query layer, so one tenant can never read or modify another tenant's data. Sub-platforms run inside this same isolation model.

Data at rest

Account and billing data lives in PostgreSQL on encrypted disks. Refresh tokens live in Redis with a strict TTL. Logs of relay traffic are purged on a 24-hour rolling window.

Audit logging

Every relay call produces an audit row recording the user, tenant, model, channel, status, and token counts. Administrators see logs for their own tenant tree only.

Upstream providers

Each upstream provider runs its own security program. We pass the minimum required to deliver a request and don't store the prompts or responses beyond what's needed for the 24-hour activity log.

Responsible disclosure

Found something? Please email us privately before disclosing publicly. We don't run a bug-bounty program but we do credit responsible reporters, and we won't pursue legal action against good-faith research.