Zero Trust Architecture

Built Secure,
By Default

Security isn't a feature we layer on top — it's the foundation everything is built on. End-to-end encryption, zero data retention, and continuous monitoring on every single request.

Zero Data Retention
TLS 1.3 Encrypted
Isolated Tenants
SOC 2 In Progress
Report VulnerabilityContact Us
request_lifecycle.ts
1
TLS 1.3 handshake
edge → client
2
API key validated
bcrypt check
3
Memory-only processing
never on disk
4
Response re-encrypted
AES-256-GCM
5
Context destroyed
0ms retention
secure
aichixia.xyz

Security Pillars

Six foundational layers protecting every API call, every time.

TLS 1.3 · AES-256

End-to-End Encryption

All transit uses TLS 1.3. At rest, AES-256 across every storage layer — no exceptions.

0 ms retention

Zero Data Retention

Prompts and responses are never persisted. Every request is ephemeral — held in memory, then gone.

RBAC · IP allowlist

Access Control

Granular API key scoping, IP allowlisting, and per-key rate limits. Only authorized traffic passes.

Per-tenant VPC

Network Isolation

Each tenant runs in a separate VPC. Cross-tenant data leakage is architecturally impossible.

< 5 min SLA

Continuous Monitoring

24/7 automated threat detection with anomaly alerting and a sub-5-minute incident response SLA.

SAST · DAST

Secure Development

Every commit goes through peer review, SAST, DAST, and dependency scanning before reaching production.

Request Lifecycle

What Happens to Your Data

Every API request follows this exact path. Nothing persists. Nothing leaks.

01

Request

  • TLS 1.3 handshake at edge
  • API key validated & hash-checked
  • IP allowlist + rate limit enforced
02

Processing

  • Routed to isolated tenant env
  • Payload held in memory only
  • Model inference — never touches disk
03

Response

  • Response re-encrypted in transit
  • Metadata-only audit log written
  • Ephemeral context immediately destroyed
Compliance

Regulatory Standards

SOC 2 Type II
In progress
GDPR
Compliant
ISO 27001
Aligned
CCPA
Compliant

Responsible Disclosure

Found a vulnerability? Report it to security@aichixia.xyz. We respond within 48h and never pursue action against good-faith researchers.

Infrastructure

CIS-hardened enterprise cloud with multi-region failover, audited regularly by independent third parties.

Best Practices

Developer Security Guide

Five things every developer integrating Aichixia should do from day one.

01
Never expose keys client-side
Keys live only in server environments. Use env vars — hardcoding is a critical vulnerability.
02
Rotate keys every 90 days
Generate fresh keys on a 90-day cycle. Revoke the old key the moment the new one is active.
03
Enable IP allowlisting
Lock your key to known server IPs. Stolen keys become useless without a matching IP.
04
Monitor usage anomalies
Alert on sudden token spikes or unusual request patterns — early signs of compromise.
05
Sanitize all user inputs
Validate every prompt built from user input to prevent injection and jailbreak attempts.
FAQ

Common Questions

Answers to the most frequently asked security questions.

Never. We have a strict zero data retention policy. The only data logged is anonymous metadata — timestamp, model ID, token count — for billing and rate limiting. Actual content is never written to any persistent storage.

Keys are hashed with bcrypt before storage. The plaintext key is shown exactly once at creation. You can set expiry dates, scope keys to specific models, and restrict them by IP allowlist from your dashboard.

No. Requests are forwarded to upstream providers under strict Data Processing Agreements that explicitly prohibit using customer data for training. We only partner with providers offering zero-training guarantees.

We maintain a documented incident response playbook with sub-5-minute automated alerting. Affected users are notified within 72 hours of a confirmed breach, in full compliance with GDPR Article 33.

Enterprise customers can request our latest third-party pentest summary under NDA. Email contact@aichixia.xyz with the subject 'Security Report Request' and we'll respond within one business day.