🚀 Use for Free · No credit card required · Start optimizing your LLM costs now

Security at Costbase

Enterprise-grade security with a privacy-first architecture. Your API keys are encrypted so even we can't read them—only you control access.

Encrypted Key Storage

Your API keys are encrypted with AES-256 before storage. We can't read them—only you can view or delete your keys.

Enterprise SSO

SAML 2.0 and OIDC support for seamless integration with Okta, Azure AD, OneLogin, and more.

PII/PHI Detection

Guardrails detect and block sensitive data before it reaches LLM providers.

Data Protection

Encryption

In Transit: All data transmission uses TLS 1.2+ encryption

At Rest: AES-256 encryption for all stored data

Key Management

Your LLM provider API keys are encrypted using AES-256 before storage. Keys are decrypted only at runtime for request routing. Even our team cannot access your plaintext keys—only you can view or delete them from your dashboard.

BYOK Architecture

Our Bring Your Own Keys model means you maintain direct billing relationships with LLM providers. We act as a routing layer—you can revoke access at any time by deleting or rotating your keys. We never resell or mark up LLM services.

What We See

Data Transparency Notice

As an LLM gateway, all prompts and responses pass through Costbase for routing, caching, and analytics. We believe in full transparency about what data we process and store.

Request Flow

When you send a request through Costbase, it flows through our gateway to your configured LLM provider. This means we temporarily process the full request and response content to enable our features.

What We Store

Always Stored (Metadata)

  • Request timestamp and duration
  • Model name and provider
  • Token counts (input/output)
  • Estimated cost
  • Cache hit/miss status
  • HTTP status code
  • Project and API key identifier (not the key itself)

Configurable (Content)

Prompt and completion content storage is configurable per project:

  • Full: Complete prompts and responses stored for debugging
  • Trimmed: First 100 characters only
  • Masked: Content hashed, not readable
  • None: No content stored (metadata only)

You Control

  • Log visibility level per project in Console Settings
  • Cache TTL (time-to-live) for cached responses
  • Request/response retention period
  • PII/PHI detection and blocking rules

What We Never Do

Never train on your data: Your prompts and responses are never used to train models

Never sell your data: We don't sell, share, or monetize your content in any way

Never access without purpose: Content is only accessed for routing, caching, and the features you enable

Never retain indefinitely: Logs are automatically purged based on your retention settings

Access Control

SSO / OIDC / SAML

Enterprise single sign-on with support for SAML 2.0 and OpenID Connect. Integrate with Okta, Azure AD, OneLogin, or any compliant identity provider.

Multi-Factor Authentication

TOTP-based MFA available for all accounts. Backup codes provided for account recovery.

Role-Based Access Control

Granular permissions for team members. Scope API keys to specific projects. Admin, member, and viewer roles available.

Session Management

Short-lived JWT tokens (5-minute expiry) for service-to-service communication. Automatic session expiration and revocation capabilities.

Infrastructure Security

Cloud Providers

Our infrastructure runs on enterprise-grade cloud platforms with ISO 27001 certifications. Application hosting on Railway and Vercel, with data stored in encrypted databases.

Network Security

Network isolation and firewall rules

Rate limiting to prevent DoS attacks

Automated monitoring and alerting

Regular security updates and patches

Secrets Management

No hardcoded credentials. All secrets managed through secure environment variables. Pre-commit hooks prevent accidental secret exposure. Dependency scanning for known vulnerabilities.

Security Features

PII/PHI Detection

Available on all plans, our guardrail system automatically detects potential personally identifiable information (PII) and protected health information (PHI) in requests before they reach LLM providers. Configure to block, warn, or log detections.

Tenant Isolation

Complete data isolation between organizations. Each tenant's data, cache, and configurations are strictly separated. No cross-tenant data access possible.

Audit Logging

Comprehensive audit logs for all security-relevant events including authentication attempts, API key usage, configuration changes, and rate limit violations. Export logs for reporting and auditing.

Budget Alerts & Anomaly Detection

Set budget limits with webhook notifications. Detect unusual usage patterns that may indicate compromised credentials or abuse. Automatic request blocking when limits are exceeded.

Security Features

Current Status

Enterprise SSO — SAML 2.0 / OIDC available
BYOK Model — You control your LLM provider keys
Security-First Architecture — Encryption at rest and in transit
Data Processing Agreement — Available on request

Available Documents

We can provide the following documents upon request:

  • Data Processing Agreement (DPA)
  • Security Whitepaper
  • Penetration Test Summary (when available)
  • Security Questionnaire Responses

Security Questions?

For security-related inquiries, document requests, or to report a vulnerability:

security@costbase.aiContact Us