Security & Trust

Practical, verifiable security. We document what we do, why we do it, and how customers can verify it — without leaning on unverified certification claims.

How we protect your data

Six controls that run on every request and every account.

Encryption in transit

Every API call uses TLS 1.3 with modern cipher suites. Connections that fail to negotiate a secure handshake are rejected at the edge.

Encryption at rest

Stored data is encrypted using AES-256. Backups and snapshots inherit the same encryption posture as the primary store.

API key hashing

API keys are stored as SHA-256 hashes. The raw key is shown once on creation and never written to disk. Lookups are hash-compare only.

Access controls

Role-based access scopes per organization. Keys can be restricted to specific providers, modalities, or budget caps. Revocation is immediate.

Rate limiting

Per-organization rate limits on requests-per-minute, concurrent requests, and per-request cost. Thresholds are enforced before any provider call.

Audit logging

Every administrative action — key creation, revocation, preference changes — is logged with actor, timestamp, and IP context.

Architecture

A simple view of the request path and the controls that surround it.

Customer
   │
   │ TLS 1.3
   ▼
┌───────────────────────────────┐
│  Edge (Cloudflare)            │
│  • WAF, DDoS, bot protection  │
│  • TLS termination            │
└────────────┬──────────────────┘
             │
             ▼
┌───────────────────────────────┐
│  Routing API                  │
│  • API key (SHA-256 lookup)   │
│  • Rate limit (RPM, cost)     │
│  • Per-org access scopes      │
│  • Request audit log          │
└────────────┬──────────────────┘
             │
             ▼
┌───────────────────────────────┐
│  Provider call                │
│  • TLS 1.3 to provider        │
│  • Request metadata only      │
│  • No prompt/response stored  │
└────────────┬──────────────────┘
             │
             ▼
  Encrypted response
  (AES-256 at rest for logs)

Privacy commitments

Plain statements about how we handle customer data.

No training on your data

Prompts, responses, and uploaded media are never used to train, fine-tune, or evaluate any model.

No prompt or response logging by default

Request content is not persisted. Only metadata (model, provider, tokens, latency, cost) is retained for billing and observability.

Data deletion on request

Email privacy@greatrouterai.com to request deletion of any account data. Confirmed-deletion requests are completed within 30 days.

GDPR-aware data handling

Data Processing Agreement available on request. We honor access, portability, and erasure requests from EU and UK subjects.

Regional data residency

EU and US data residency is available on enterprise plans. Billing metadata is stored in the region you select at signup.

Vendor and subprocessors

We maintain a public subprocessor list and notify customers at least 30 days before adding new subprocessors that handle customer data.

Compliance posture

We do not claim certifications we have not completed. Below is what we actually do — verifiable on request.

Least-privilege access

Production access is gated by SSO, hardware-key MFA, and per-incident just-in-time elevation. Access is reviewed quarterly.

Vulnerability management

Continuous dependency scanning, weekly internal security reviews, and an outside pen-test at least annually.

Incident response

Documented runbooks, on-call rotation, and customer notification within 72 hours of any confirmed breach affecting customer data.

Secure development lifecycle

Code review requirements, mandatory threat models for new endpoints, and automated security checks on every PR.

Backups and recovery

Encrypted daily backups with quarterly restore drills. Recovery objectives documented in our enterprise DPA.

Employee training

Annual security training, phishing simulations, and documented onboarding for everyone with production access.

Active compliance work and audit reports are available to enterprise customers under NDA. Contact security@greatrouterai.com.

Report a vulnerability

Coordinated disclosure

We respond to vulnerability reports within one business day and work with reporters on disclosure timelines. Reports can include reproduction steps, impact analysis, and any suggested mitigations.

  • Email: security@greatrouterai.com
  • PGP key: available on request
  • Response target: 1 business day
  • Status updates: every 3 business days until resolution
Report a vulnerability

Related policies