Security & Trust
VectorAxis sits in the path of your LLM traffic, so how we handle that traffic matters. This page describes what we actually do today — what we log and what we don’t, how credentials are protected, who we share data with, and where we stand on compliance. We would rather state our posture plainly, including the gaps, than imply more than is true.
The commitments here are drawn from our Privacy Policy and Terms of Service, which are the binding versions. Where the two differ, the legal documents govern.
What we do — and don’t — do with your prompts
The single most important thing to know: we do not log the content of your prompts or the responses returned. For every request we record operational metadata only — model, token counts, cost, latency, cache status, and retry/fallback details — so the observability and analytics features work. The prompt and completion text themselves are not written to those logs.
The one case where request content is stored is when you explicitly opt into caching on a request. Then the request and response are held in the exact-match or semantic cache (the latter alongside a vector embedding of the request) so a future matching request can be served from it. Cached entries expire on the TTL you set. If you never enable caching, VectorAxis does not persist your prompt or response content at all.
We do not train on, or sell, your data
This is a binding commitment in our Terms of Service, quoted verbatim:
“As between you and VectorAxis, you own your Customer Content. … We do not use Customer Content to train our own models, and we do not sell Customer Content.”
Any aggregated or de-identified statistics we generate (for example, product usage trends) are not used to re-identify individual customers. We also do not embed third-party marketing or advertising trackers in the service.
How credentials are protected
- BYOK provider keys are encrypted at rest with AES-256-GCM. Only a short truncated hint of a key is ever shown back to you; the full value is never returned once stored.
- Platform API keys (
va_*) are stored as a one-way SHA-256 hash, never as plaintext, so even we cannot recover the original key. - Credential values are never written to request logs.
- All traffic is encrypted in transit with TLS — between you and the gateway, and between the gateway and upstream providers.
Security controls in the product
Some of what protects you is a product feature you can turn on. VectorAxis ships 31 guardrail validators, several of which are security controls: PII detection, secret and API-key leak scanning, and prompt-injection and jailbreak detection, applied on both input and output. Virtual keys carry per-key provider allowlists and spend limits, and changes to keys, guardrails and routing configs are recorded in an audit log. See the guardrails documentation for the full list.
Sub-processors
We use a small number of sub-processors to run the service. Customer Content is only shared with them as needed to provide it.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, PostgreSQL / pgvector data stores, and Amazon Cognito for authentication. | United States |
| Stripe | Payment processing for platform-key credit purchases and refunds. We do not store card numbers. | United States |
| LLM providers you connect | When a request is routed to a provider (e.g. OpenAI, Anthropic), the content of that request is sent to and processed by that provider under its own terms — chosen by you, per virtual key. | Per provider |
Our infrastructure currently runs on AWS in the United States. AWS supports multi-region deployment, so we can expand to additional regions as we grow and as customer needs require. In the meantime, if you are outside the United States your data is processed in the US, and any LLM provider you connect processes request content in its own regions — with appropriate safeguards applied to such transfers. The authoritative sub-processor list lives in our Privacy Policy.
Compliance & certifications
We want to be straight about where we are. VectorAxis does not yet hold SOC 2, ISO 27001, or HIPAA attestations. If a formal certification is a hard requirement for your procurement today, we would rather tell you now than after a trial. We have designed our controls — encryption at rest and in transit, least-exposure credential handling, audit logging, and minimal data retention — to align with those frameworks, and we intend to pursue formal certification as we grow.
A Data Processing Agreement (DPA) is available to enterprise customers on request — email [email protected].
Reporting a vulnerability
If you believe you have found a security vulnerability in VectorAxis, please report it using the contact form below and choose “Bug”. We welcome responsible disclosure: give us a reasonable window to investigate and remediate before any public disclosure, and please do not access or modify data that is not yours while testing.
Contact us
Security or compliance questions, a DPA request, or a vulnerability report — this reaches a human. Enterprise teams can also ask us to walk through our controls.