Trust
Security at KillToken™
KillToken™ sits between your application and your model providers, so we designed the platform around one principle: your keys and your prompts are yours. This page describes our current security posture in plain language — what is implemented today, not aspiration. Report security concerns to support@killtoken.io.
Strict BYOK — no platform keys, ever
Every provider call uses the tenant's own stored credential. There is no platform-owned provider key fallback of any kind — a tenant without a credential gets a clear error, never someone else's key.
AES-256-GCM encrypted credentials
Provider credentials are encrypted at rest with AES-256-GCM. Plaintext is shown exactly once at creation or rotation; afterwards only a non-sensitive preview exists in any response.
Tenant isolation
Keys, credentials, metrics, exports, cache entries, and dashboard views are scoped to the authenticated tenant on every endpoint. Unknown ids return not-found without revealing whether they exist elsewhere.
Hashed API keys
Tenant API keys are stored as SHA-256 hashes with a short preview — never in plaintext. Revocation takes effect immediately. Dashboard passwords are scrypt-hashed with per-user salts.
Hardened dashboard sessions
Dashboard logins use signed, HttpOnly, SameSite cookies served over HTTPS, with login attempts rate limited per IP and email.
Prompt privacy by default
Raw prompt content is not stored by default — analytics run on fingerprints and token metrics. Storing prompt content is an explicit, off-by-default configuration choice for your own debugging.
Infrastructure boundaries
Persistent data lives in managed MongoDB; the exact-response cache and abuse-limit counters live in managed Redis-compatible storage; payments run entirely through Stripe. Each boundary receives only what its function requires: Stripe never sees provider credentials or prompt content, the cache stores provider responses and usage only, and card data never touches KillToken™ servers. Secrets are configured through the hosting environment — never committed to source control, logged, or returned by any endpoint.
Monitoring and readiness
The platform exposes liveness and readiness probes that report dependency health as booleans only — never connection strings, keys, or error internals — and is monitored with uptime checks and deploy/failure alerting. Abuse rate limiting protects login, gateway, and public endpoints.
Compliance roadmap
We are honest about where we are: KillToken™ does not currently hold SOC 2, ISO 27001, or HIPAA certifications, and we have not yet commissioned an independent penetration test. Formal compliance work is on our roadmap as the platform and its customers grow. If your evaluation needs a security review or questionnaire in the meantime, contact support@killtoken.io — Enterprise plans include security review support.