Security & Subprocessors
Last updated: 1 March 2026 ·
Effective: 1 March 2026
1. Infrastructure
- Hosting: CloudSigma cloud infrastructure, EU-based (Bulgaria, Switzerland).
- Database: CloudNativePG (CNPG) PostgreSQL clusters with TLS in transit and AES-256 at rest.
- API Gateway: Deployed on Kubernetes (K3s), behind TLS-terminating reverse proxies (Caddy).
- Network: All internal service communication is encrypted. Public endpoints are HTTPS-only (TLS 1.2+).
2. Authentication & Access Control
- API keys are hashed with SHA-256 before storage; raw keys are shown only at creation time.
- OAuth tokens for model providers are stored encrypted at rest.
- Portal login uses OAuth 2.0 (Google) with session cookies. Sessions expire after inactivity.
- Admin access is role-based:
taas_owner,taas_admin,org_owner,org_admin,user.
3. Data Security
- API request content (prompts and completions) is processed in memory and not written to persistent storage.
- Usage metadata (timestamps, token counts, model names) is retained for billing and logged to the portal database.
- Audit logs for administrative actions are immutable (database-level triggers prevent modification).
4. Vulnerability Management
- Dependencies are monitored for known CVEs with automated tooling.
- Security patches are applied within 7 days for critical vulnerabilities, 30 days for others.
- To report a vulnerability, contact security@cloudsigma.com. We operate a responsible disclosure programme with a 90-day embargo window.
5. Incident Response
In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware, per GDPR Article 33. Notifications include the nature of the breach, data categories affected, likely consequences, and remediation measures taken.
6. Subprocessors
We engage the following subprocessors who may process your data or API request content:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic PBC | LLM inference (Claude models) | United States |
| DeepInfra Inc. | LLM inference (open models) | United States |
| Groq Inc. | LLM inference (fast inference) | United States |
| MiniMax Inc. | LLM inference (MiniMax models) | China / US |
| DeepSeek | LLM inference (DeepSeek models) | China |
| Z.AI (Zhipu AI) | LLM inference (GLM models) | China |
| SiliconFlow | LLM inference (backup routing) | China |
| OpenRouter | LLM inference (failover routing) | United States |
| Stripe Inc. | Payment processing | United States |
| Google LLC | OAuth login (Google SSO) | United States |
| CloudSigma AG | Infrastructure hosting | Switzerland / Bulgaria |
Last updated: 1 March 2026. We notify customers of material subprocessor changes with at least 14 days' notice.
7. Compliance
- GDPR / UK GDPR compliant data processing agreements in place with EU-based processing.
- Swiss nDSG (revised Federal Act on Data Protection) applicable as Swiss-domiciled controller.