Security & compliance

Audited.
Documented.
Verifiable.

We publish what we do, get audited against recognized standards, and report the things we got wrong. Auditor reports are available under NDA through your account team.

Certifications & attestations
Standard
Status
Scope
Auditor
ISO 27001
Current
All production infrastructure
BSI
ISO 27701
Current
Privacy information management
BSI
HIPAA
Available under BAA
Enterprise deployments
Self-attested
GDPR / PIPL
Compliant
All regions
Outside counsel review

What we commit to,
in writing.

Inference data retention
Zero by default. No training on customer inputs. Logs, when kept for abuse prevention, are retained for 30 days maximum and scrubbed of content.
At-rest encryption
AES-256 on every persisted byte. Keys rotated quarterly. Customer-managed keys available on Enterprise.
In-transit encryption
TLS 1.3 only. HSTS preload. Mutual TLS available for Enterprise API ingress.
Access control
Production access requires hardware key + short-lived credentials + documented ticket. All privileged actions are logged and reviewed.
Availability
99.95% uptime SLA for Enterprise. Multi-region active-active.
Incident response
24/7 on-call, 60-minute acknowledgement SLA for security incidents, written post-mortems published for all sev-1 and sev-2 events.
Responsible disclosure

We publish the ones we got wrong.

Every confirmed security issue is disclosed here with a CVE identifier within 90 days of remediation. Report new vulnerabilities to [email protected]; PGP key on request.

Submit a finding

CVE-2026-1107March 12, 2026
Prompt-injection bypass in tool-use streaming endpoint
MediumPatched
CVE-2025-8923November 4, 2025
Information disclosure via error response in admin API
LowPatched
CVE-2025-6612July 20, 2025
Session-fixation window in OAuth callback
MediumPatched