Security

Enterprise security, by default

AISpendOps is built with security at every layer — from encrypted authentication to immutable audit trails.

Secure Authentication

  • Secure encrypted logins with industry-standard protocols
  • Passwords never stored in plain text — strong hashing algorithms only
  • Session expiration with secure session tokens
  • Auth0-powered identity management

Multi-Factor Authentication

  • TOTP-based MFA supported for all accounts
  • Recommended for all users, enforceable at organisation level
  • Compatible with standard authenticator apps

API Key Protection

  • Keys encrypted at rest using HMAC-SHA-256 hashing
  • Never stored in plain text — hashed on creation
  • Decrypted only in memory when required for validation
  • Never exposed in logs, dashboards, or API responses

Data Handling

  • AISpendOps does NOT store prompts or model responses
  • Only usage metadata, cost data, dimensions, and audit logs are retained
  • Customer data is logically isolated with row-level security
  • Data retention configurable per plan

Encryption

  • TLS encryption for all data in transit
  • Encryption at rest for all sensitive data
  • Azure SQL with transparent data encryption
  • Cloudflare edge network for proxy layer

Audit Logging

  • Request-level metadata logging for every API call
  • Access logging for all dashboard and API operations
  • Policy enforcement decisions recorded and exportable
  • API key lifecycle tracking (creation, rotation, revocation)

Deployment Model

  • Fully managed SaaS platform — no self-hosting option
  • Centralised security updates applied automatically
  • Consistent security posture across all customers
  • Reduced operational burden for your security team

Security FAQ

Do you store prompts or model responses?

No. AISpendOps only stores usage metadata, cost data, dimensions, and audit logs. Prompts and responses pass through the proxy and are never persisted.

Are API keys encrypted?

Yes. API keys are hashed using HMAC-SHA-256 on creation and never stored in plain text. The original key is shown once at creation time and cannot be retrieved afterwards.

Do you support MFA?

Yes. TOTP-based multi-factor authentication is supported for all accounts and recommended for all users.

Do you support self-hosting?

No. AISpendOps is a fully managed SaaS platform. This ensures consistent security updates and a uniform security posture for all customers.

Is customer data isolated?

Yes. All customer data is logically isolated using row-level security policies. Each tenant's data is only accessible within their own session context.

Where is data stored?

Data is stored in Azure SQL with transparent data encryption at rest. The proxy layer runs on Cloudflare's global edge network with TLS encryption in transit.

Questions about security?

Our team is happy to walk through our security architecture in detail.

Book a Demo