Skip to content
OpenKey

Security & data handling

This page states what happens to your keys and your data, plainly. Where we haven’t earned a certification yet, we say so instead of implying it.

Your prompts and completions

  • We do not train on your data, and we do not permit upstream providers we route to to train on it where the provider offers that control; each model page notes the provider’s data policy.
  • Retention: request and response bodies are not stored by default. Metadata needed for billing (token counts, model id, timestamps, cost) is retained. Optional logging for your own debugging is opt-in, per key, and deletable.
  • Prompts are never used for marketing, analytics, or “product improvement”.

Your keys

  • API keys are stored hashed; the plaintext is shown once at creation and never again.
  • Keys are scoped and independently revocable. Revocation takes effect within seconds.
  • Provider keys you bring (BYOK) are encrypted at rest and used only to route your own requests.

Infrastructure

  • TLS 1.2+ everywhere; no plaintext transport, internal or external.
  • Payment processing is handled by our payment provider; card numbers never touch our servers.
  • Access to production systems is limited, logged, and reviewed.

Certifications

SOC 2 Type II is on our roadmap and this page will link the report when we have it. We will not display a badge before that day.

Report a vulnerability: security@openkey.ai. We acknowledge within 24 hours and won’t take legal action against good-faith research.