NeuroAPI

Security & data

What we do (and don't do) with your prompts, completions, API keys, and metadata.

NeuroAPI is built so prompts and completions transit through the system, are billed, and are not retained. The only data we keep is what we need to authenticate, meter, and debug - and even that excludes the content of your prompts.

What we don't store

  • Prompt text. Not persisted in our database. Not written to durable logs. Not kept after the response is delivered.
  • message_history content. Same as prompts.
  • Completion text. Streamed or returned, then forgotten.
  • Training corpora. Your traffic is not used to train any model on our side, and is not shared with any party other than the model provider serving the request.

What we do store

ScopeFields
Per callrequest_id, timestamp, API-key prefix (neuro_<8 chars>), HTTP status, cost_units, mode, request and response byte counts
Per accountaccount email, hashed password, Stripe customer / subscription ids, monthly usage counters, list of API-key prefixes

The API-key prefix is the public identifier (e.g. neuro_a1b2c3d4) - never the full secret. The full secret is shown once at creation, hashed-and-encrypted at rest, and unrecoverable afterwards.

Where prompts go

Prompts and completions are processed by a mix of two backends:

  • Leading model providers - Anthropic, OpenAI, and DeepSeek - under their respective enterprise data-handling terms, which exclude API traffic from training corpora at the time of writing.
  • Open-source models and our own customized fine-tunes, hosted on Neurobro infrastructure. Traffic served by these models stays entirely within Neurobro and is not shared with any third party.

The mix is selected per request based on the chosen mode. If your compliance posture requires excluding a specific third-party provider or pinning your traffic to in-house models only, email [email protected] and we will scope your account accordingly.

Logging policy

  • Application logs record the API-key prefix only; full secrets are never written. The same rule applies to error reports forwarded to our error-tracking pipeline (payloads are scrubbed before send).
  • The X-Request-Id header on every response is the safe correlation id to share with support - it does not encode any account or key material.
  • Operational logs are kept for the minimum window needed to debug and meter usage.

API-key handling

  • At rest. Keys are stored as a peppered hash of the secret plus a versioned encrypted ciphertext copy. Plaintext exists in memory only at creation time and is discarded after it's shown to the user.
  • On the wire. TLS 1.2+ is enforced at the edge.
  • Rotation. Mint a new key, deploy alongside, switch traffic, then revoke the old one - see the Authentication guide. Revoked keys return 401 on the next request; there is no grace period.
  • Misuse protection. Repeated failed-auth attempts from the same source are rate-limited (20 / minute) to throttle credential guessing.

Encryption

We use industry-standard encryption everywhere data is stored or transmitted.

LayerMechanism
In transitTLS 1.2+ on every external connection
At rest, account dataEncrypted at rest
At rest, API keysAuthenticated symmetric encryption (AES-128-CBC + HMAC-SHA256) with a versioned envelope key

Data retention

DataRetention
Prompts, completions, message_historyNot retained
Operational logs (request_id, status, prefix, byte counts)Minimum needed to debug + meter
Billing / usage recordsRetained for tax and accounting requirements
Account recordUntil you delete the account, then purged on next batch

Compliance & data-subject requests

  • GDPR. Data-subject requests (access, deletion, export) go to [email protected].
  • DPA. A Data Processing Addendum is available on request to the same address.
  • Certifications. We follow SOC2-aligned operational practices internally; formal certification status is published here when finalised.

Reporting a vulnerability

Email [email protected] with a subject prefixed vulnerability:. We acknowledge within one business day. There is no public bounty programme today; we credit reporters in the changelog when a fix ships, with their permission.

On this page