Security at Auriko

How Auriko protects your data, credentials, and inference traffic.

No Model Training on Your Data

Auriko does not use your prompts, responses, or any customer data to train AI models. This commitment is binding under our Terms of Service (Section 6.2). We use your data solely to fulfill your inference requests and never retain it for any other purpose.

Read our Terms of Service

Zero Data Retention

Auriko operates as a streaming proxy. Prompts and model responses pass through our network and are never written to disk or stored in any database. Usage metadata such as token counts, latency, and model identifiers is retained for billing and analytics, but the content of your requests and responses is never persisted.

Data Encryption

All data in transit is protected with TLS on every connection. Bring Your Own Key (BYOK) credentials are encrypted at rest using authenticated encryption (XSalsa20-Poly1305) with per-workspace key derivation, ensuring that provider API keys cannot be read even by Auriko infrastructure.

Data Residency

Auriko infrastructure is hosted in the United States. Core services run on Supabase (via AWS), Railway, and Vercel, all in US regions. Cloudflare provides edge routing and DDoS protection across its global network. For a full list of infrastructure providers and their locations, see our sub-processor list.

View sub-processors

Compliance

Auriko processes data in accordance with GDPR requirements. Our privacy policy documents lawful bases for processing, data subject rights, sub-processor obligations, and international transfer safeguards. We offer a Data Processing Agreement (DPA) on request for business customers processing personal data under GDPR, CCPA, or similar regulations.

Request a DPA

Access Control

Every workspace enforces role-based access control with three roles: Owner, Admin, and Member. Workspace isolation is enforced at the database level through row-level security policies. API keys are scoped to individual workspaces and cannot access resources outside their boundary.

Multi-factor Authentication

Auriko supports multi-factor authentication via time-based one-time passwords (TOTP). Compatible with authenticator apps such as Google Authenticator and Authy. We recommend enabling MFA for all accounts, especially those with Owner or Admin roles.

API Security

Passthrough fields in API requests are inspected and sanitized to prevent credential injection — blocking API keys, tokens, and authorization headers from being forwarded to providers. Authentication endpoints enforce brute-force protection, temporarily blocking requests after repeated failed attempts.

Incident Response

In the event of a confirmed security incident, we notify affected customers within 72 hours with details on scope, impact, and remediation steps. We maintain a public status page for real-time updates on platform availability and incident history.

status.auriko.ai

Responsible Disclosure

If you discover a security vulnerability, please report it to security@auriko.ai. We ask that you allow reasonable time to address the issue before any public disclosure. We do not pursue legal action against researchers acting in good faith.

security@auriko.ai

Security & Procurement

We welcome security questionnaires and procurement reviews. Contact security@auriko.ai for security assessments, privacy@auriko.ai for DPA requests, or visit our sub-processor list for infrastructure details.

Contact us