| In transit | TLS 1.3 on every request, HSTS on all subdomains. |
| At rest | AES-256-GCM on every stored key, log, and file. Customer-managed keys on Enterprise. |
| Secret scanning | Automated leak detection on every new API key; one-click rotation. |
| No training | We never train models on your prompts or completions. Every request carries a non-retention flag by default. |
| Request bodies | Retained 30 days on Pro, 7 days on free tier, configurable on Enterprise. Opt out entirely from dashboard settings. |
| Metadata | Aggregate counters (token, cost, latency) kept for billing and analytics; drop any field on Enterprise. |
| PII redaction | Enterprise guardrails strip detected PII before the request leaves us and before responses reach you. |
| API keys | Scoped per environment, revocable instantly, zero downtime on rotation. |
| Sub-accounts | Nested keys per end user with their own spend caps and analytics — fits marketplaces and multi-tenant apps. |
| SSO (Enterprise) | SAML + OIDC with SCIM provisioning. Enforce MFA at the IdP. |
| Audit log | Every key create, revoke, login, guardrail block, and admin action. Exports to your SIEM on Enterprise. |
| SOC 2 | Type I attested, Type II in progress for 2026 Q3. |
| GDPR | DPA on request. EU data residency available on Enterprise. |
| HIPAA | BAA available on Enterprise with PHI-compatible providers only. |
| ISO 27001 | Planned for 2027 Q1. |
Responsible disclosure is rewarded with a public credit and a bug bounty (tiered by severity). We acknowledge within 24 hours and aim to patch critical reports within 72.
Questionnaire, SOC 2 report, sub-processor list, pen-test summary, and DPA — email enterprise@aigateway.sh and we send the packet within one business day.