Security at Auriko
How Auriko protects your data, credentials, and inference traffic.
Data Encryption
All data at rest is encrypted with AES-256. Data in transit is protected with TLS on every connection. Bring Your Own Key (BYOK) credentials are encrypted using XSalsa20-Poly1305 with per-workspace key derivation, ensuring that provider API keys cannot be read even by Auriko infrastructure.
Zero Data Retention
Auriko operates as a streaming proxy. Prompts and model responses pass through our network and are never written to disk or stored in any database. Usage metadata such as token counts, latency, and model identifiers is retained for billing and analytics, but the content of your requests and responses is never persisted.
Access Control
Every workspace enforces role-based access control with three roles: Owner, Admin, and Member. Workspace isolation is enforced at the database level through row-level security policies. API keys are scoped to individual workspaces and cannot access resources outside their boundary.
Multi-factor Authentication
Auriko supports multi-factor authentication via time-based one-time passwords (TOTP). Compatible with authenticator apps such as Google Authenticator and Authy. We recommend enabling MFA for all accounts, especially those with Owner or Admin roles.
API Security
Passthrough fields in API requests are inspected and sanitized to prevent credential injection — blocking API keys, tokens, and authorization headers from being forwarded to providers. Authentication endpoints enforce brute-force protection, temporarily blocking requests after repeated failed attempts.
Incident Response
In the event of a confirmed security incident, affected customers will be notified within 72 hours with details on scope, impact, and remediation steps. We maintain a public status page for real-time updates on platform availability and incident history.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@auriko.ai. We ask that you allow reasonable time to address the issue before any public disclosure. We do not pursue legal action against researchers acting in good faith.