Security & data handling

The short version: in the default mode we never store your provider keys, and we never store your prompts or responses. Here's exactly what happens to your data — enough to self-approve without a sales call.

Your provider keys

Local Key Mode (default + recommended): your provider keys arrive as request headers, are used in memory for the single upstream call, and are discarded. They are never written to our database, logs, or any third party.

Key Vault (opt-in): if you'd rather store them with us, they're encrypted with AES-256-GCM; the encryption secret lives only in an environment variable and the keys are never returned to the browser — only a last-4 preview.

Your prompts and responses

We do not log prompt or response content. It's enforced in code, not just policy: the request-log type has no field for content, so it cannot be written.

The only durable data is metadata — model, token counts, latency, cost, cache/route flags — retained for 90 days behind Postgres row-level security, then automatically deleted by a scheduled job.

Caching

Cache hits are served from a short-lived response cache (1-hour default TTL). Cached response bodies are encrypted at rest with a per-account key when an encryption secret is configured. The semantic cache stores a math vector of your prompt — not its text.

You stay in control: send X-SlashSpend-Cache: off to bypass the cache for a request (nothing stored or served), set a custom TTL with X-SlashSpend-Cache-TTL, or flush everything instantly with DELETE /v1/cache.

Debugging (opt-in only)

By default, no content is ever captured. If you explicitly send X-SlashSpend-Debug: true on a request, we store that one request + response for 1 hour, retrievable only by you and encrypted at rest with your account key when an encryption secret is configured — then it auto-expires. Off by default means off.

Transport & subprocessors

All traffic is over TLS. Our subprocessors are:

  • Supabase — authentication + metadata
  • Upstash — response cache + semantic vectors
  • Stripe — billing
  • Resend — transactional email

In Local Key Mode, your provider keys and prompt text are sent to none of them — only to the model provider you chose, on your behalf.

Access & key management

Issue multiple named API keys, rotate any of them independently, and revoke with a grace window so a rotation never causes an outage. Each request carries a X-SlashSpend-Request-Id for traceability.

Your data is portable

Export your config, routing rules, key inventory (previews only), and full usage logs anytime via GET /v1/export (add ?format=csv). Cancel and your base-URL reverts in one line — see the no-lock-in guide.

What we don't have (yet)

We're not SOC 2 certified and we don't offer a BAA today — and we won't pretend otherwise. That's precisely why Local Key Mode is the default: you get the savings without your credentials or content touching our storage at all. If you handle regulated data, keep keys in headers and caching off, and you've given us nothing to lose.

More in the FAQ and docs. Security questions or disclosure: security@slashspend.ai.