Security

Responsible Disclosure

If you discover a security vulnerability in the KeySense AI API, dashboard, or infrastructure, please report it to us immediately at security@keysense.tech. We ask that you give us reasonable time to investigate and fix the issue before public disclosure.

We treat all security reports seriously and will acknowledge your report within 48 hours. We do not pursue legal action against researchers acting in good faith.

Infrastructure Security

• API runs on Cloudflare Workers — isolated V8 execution context per request, no shared memory between users.
• Database hosted on Supabase (PostgreSQL) with row-level security — users can only access their own data.
• All data in transit encrypted with TLS 1.2 or higher.
• All data at rest encrypted by the storage provider (AES-256).
• API keys are stored as hashed values (bcrypt) — we cannot recover a lost key.

Data Handling

Input text submitted to the API is processed in-memory and never stored. The correction engine is stateless — no request content is written to disk or logs. Usage metadata (request count, timestamp, plan) is retained for 30 days for billing purposes.

When the AI fallback is invoked (opt-in only), text is sent to Anthropic under a Data Processing Agreement that prohibits training on your data. Enterprise customers can disable this entirely.

API Key Security

• API keys use the format ks_live_... for production.
• Keys are shown only once at creation — store them securely (environment variables, secrets manager).
• Never embed API keys in client-side code, public repositories, or mobile apps.
• Rotate compromised keys immediately from the dashboard. Notify us at security@keysense.tech.

Contact

Security issues: security@keysense.tech
General support: support@keysense.tech