Security Overview
As an AI API gateway, SOFTIX sits between your application and upstream model providers. We are responsible for protecting your API credentials, routing requests securely, and ensuring that inference content passes through without being retained. Our security model is designed around the principle of least privilege and defense in depth.
Technical Safeguards
AES-256-GCM Encryption
All upstream provider API keys are encrypted at rest using AES-256-GCM with per-key initialization vectors. Keys are decrypted only in memory at request time.
HMAC-SHA256 Key Hashing
User API keys are never stored in plain text. We store HMAC-SHA256 hashes and verify incoming keys against these hashes without ever retaining the raw secret.
Zero Content Logging
We never log, store, or retain prompt or response content. Only billing and operational metadata (token counts, model, latency, status) is persisted.
Immutable Audit Ledger
Administrative actions — key creation, configuration changes, emergency controls — are recorded in an append-only audit ledger for accountability.
TLS 1.3 in Transit
All API traffic and dashboard sessions are encrypted in transit using TLS 1.3. We enforce HTTPS and reject unencrypted connections.
Role-Based Access Control
Dashboard and admin surfaces enforce session-based authentication with role separation. Admin operations require elevated credentials.
Rate Limiting & Abuse Prevention
Redis-backed sliding-window rate limiters protect against abuse. Per-key and per-user limits prevent runaway usage and credential stuffing.
Secure Key Lifecycle
API keys are displayed once at creation. Provider keys support rotation without service interruption. Revoked keys are immediately invalidated.
Authentication
The public API uses Bearer token authentication with HMAC-hashed API keys. Dashboard access uses NextAuth session tokens with secure, HTTP-only cookies and cross-domain Bearer header support for API calls from the web application.
Admin operations require a separate admin session with additional access controls. Emergency controls (global kill switches, provider disabling) are logged in the immutable audit ledger.
Data Handling
What we store: Account information, billing records, usage metadata (token counts, model name, timestamps, latency), API key hashes, and encrypted provider keys.
What we never store: Prompt content, model response content, or any inference payload beyond what is required for real-time request forwarding.
For complete details on data collection and your rights, see our Privacy Policy.
Infrastructure
The Service runs on hardened cloud infrastructure with network isolation, encrypted database connections, and automated security patching. Database credentials and encryption keys are managed through environment-based secret injection — never committed to source control.
Incident Response
We maintain an incident response process for security events. In the event of a confirmed breach affecting user data, we will notify affected users within 72 hours via email and publish a summary on our Status page.
To report a security vulnerability, email support@softix.in with the subject line "Security Report". We appreciate responsible disclosure and will acknowledge reports within 48 hours.
Compliance
We design our practices to align with GDPR principles for data minimization, purpose limitation, and user rights. We do not process payment card data directly — Stripe handles PCI-compliant payment processing.
Your Responsibilities
Security is a shared responsibility. We recommend:
- Store API keys in environment variables or secret managers — never in client-side code
- Rotate API keys periodically and immediately if exposure is suspected
- Monitor usage dashboards for anomalous activity
- Enable debug logging only temporarily for troubleshooting
- Keep your account email secure and enable strong passwords