Security

What we do, what we don't, and how to report a vulnerability.

What we do

TLS 1.2+ everywhere. HSTS preload pending domain verification.
AES-256-GCM envelope encryption for BYOK keys at rest.
Postgres SELECT FOR UPDATE row locking on every credit deduction.
Stripe webhook signature verification + idempotency dedup.
Daily reconciliation against Anthropic + OpenAI usage APIs; alerts on drift > 0.5%.

What we don't do

Log your code, prompts, or completions.
Train on your code (zero retention, contractual with providers).
Sell, analyze, or share your usage data with third parties.

Reporting a vulnerability

See our vulnerability disclosure policy.