Security & Privacy#

WatchLLM is designed with security-first principles to protect your data, API keys, and AI interactions.

Security Architecture#

Data Flow Security#

Every request through WatchLLM follows a secure pipeline:

TLS Encryption — All traffic is encrypted in transit via TLS 1.3
API Key Validation — Keys are validated against hashed records in the database
Rate Limiting — IP-based and key-based limits prevent abuse
Input Sanitization — All inputs are validated and sanitized before processing
Secure Logging — Sensitive data is redacted from logs

Infrastructure Security#

Layer	Protection
Edge (Cloudflare)	DDoS protection, WAF, bot management
Application	Input validation, CSRF protection, CSP headers
Database (Supabase)	Row Level Security, encrypted at rest (AES-256)
Cache (Redis)	TLS connections, token-based auth, data expiration

API Key Security#

Key Format & Types#

Key Type	Prefix	Use Case
Project Key	`lgw_proj_`	Production API access
Test Key	`lgw_test_`	Sandbox testing

Key Management Best Practices#

Never expose keys in client-side code — use server-side proxies
Rotate keys regularly — generate new keys in the dashboard
Use environment variables — never hardcode keys in source code
Scope access — create separate keys for each environment
Monitor usage — review key activity in the dashboard

BYOK (Bring Your Own Key) Security#

When using BYOK mode:

Provider API keys are encrypted at rest using AES-256
Keys are never logged or exposed in response headers
Keys are project-scoped — each project has its own encrypted key store
Zero-knowledge architecture — WatchLLM operators cannot access your provider keys

Data Privacy#

What We Store#

Data Type	Stored	Encrypted	Retention
API request metadata	Yes	Yes	Plan-based (7-90 days)
Prompt content (cached)	Yes	Yes	Cache TTL (configurable)
Response content (cached)	Yes	Yes	Cache TTL (configurable)
Provider API keys (BYOK)	Yes	AES-256	Until deleted
User account info	Yes	Yes	Until account deletion
IP addresses	Hashed only	SHA-256	24 hours

What We Don't Store#

Raw provider API keys in logs
Payment card details (handled by Stripe)
Personally identifiable information beyond account basics
Request content after cache expiration

WatchLLM is designed with GDPR compliance in mind:

Data Subject Rights#

Right to Access — Export your data from the dashboard
Right to Deletion — Delete your account and all associated data
Right to Portability — Download usage logs in standard formats
Right to Rectification — Update your account information anytime

Data Processing#

We process data only for the purposes of providing the caching service
No data is sold to third parties
Data retention follows your plan limits
You can request complete data deletion at any time

International Transfers#

Data is processed on Cloudflare's global edge network
Database is hosted on Supabase's infrastructure
All transfers comply with standard contractual clauses

Rate Limiting & Abuse Prevention#

IP-Based Protection#

120 requests/minute per IP address
30 requests/10 seconds burst limit
IPs are hashed (SHA-256) for privacy — raw IPs are never stored
After 5 rate limit violations in 5 minutes, the IP is temporarily blocked for 5 minutes

API Key-Based Limits#

Rate limits scale with your plan:

Plan	Requests/Minute	Monthly Quota
Free	10 rpm	50,000
Starter	50 rpm	250,000
Pro	200 rpm	1,000,000

Vulnerability Disclosure#

If you discover a security vulnerability, please report it responsibly:

Email: kiwi092020@gmail.com
Subject: [SECURITY] Brief description
Please do not open public GitHub issues for security vulnerabilities
We aim to respond within 48 hours
We will coordinate disclosure timelines with you

Compliance & Certifications#

SOC 2 Type II — In progress
GDPR — Compliant
CCPA — Compliant
HIPAA — Available for Enterprise plans (contact us)

Security Updates#

We regularly update dependencies and infrastructure to address vulnerabilities. Subscribe to our Changelog for security-related updates.

Security & Privacy