Security

We treat security as a first-class feature of the gateway, not something we’ll get to later. Here’s what we do — and how to tell us when we get it wrong.

Responsible disclosure

Found a vulnerability? Email security@allroutes.ai with details and, where possible, a reproduction. We will:

  • Acknowledge your report within one business day.
  • Provide a triage decision (severity, expected fix window) within five business days.
  • Credit you in our changelog when the fix ships — unless you ask us not to.
  • Not pursue legal action against good-faith research that avoids data destruction, service disruption, or accessing data that isn’t yours.

Please give us a reasonable window to fix the issue before publishing — typically 90 days, sooner for low-impact issues.

What we do, in plain terms

  • Encryption at rest: all sensitive credentials (BYOK provider keys, OAuth tokens, webhook secrets) are encrypted with AES-256-GCM using a key held in the host environment, never in the database.
  • Encryption in transit: all public endpoints terminate TLS 1.2 or higher; the gateway itself rejects anything below 1.2.
  • Password hashing: bcrypt with cost factor 12. We do not store plaintext passwords, nor do we ever email them.
  • API key + token hashing: raw tokens are shown once at creation and never again; the database only ever holds a SHA-256 hash, so a database leak cannot replay your keys.
  • Webhook signatures: outbound webhooks carry an HMAC-SHA256 signature; verification on receipt is constant-time.
  • SSRF guard on BYOK: bring-your-own-key endpoints are validated against a private-network blocklist (RFC 1918, loopback, link-local, AWS / GCP / Azure metadata IPs) before any outbound request fires.
  • Rate limits: unauthenticated POST routes (login, register, password reset, waitlist) are rate-limited per IP to blunt credential-stuffing and enumeration.
  • Zero data retention (ZDR): Team tier and above can opt into ZDR mode, which disables prompt/response metadata logging end-to-end.
  • CSP + frame-ancestors: the dashboard ships a strict Content Security Policy and refuses to be framed, blocking common clickjacking vectors.

More detail

For how we collect and retain data, see the Privacy Policy. Enterprise buyers can request a security questionnaire, our DPA, and a sub-processor list from sales@allroutes.ai.