Security

SemanticGuard is built with enterprise security requirements in mind. Your data stays on your infrastructure, and every access is audited.

Authentication & Access

Multi-factor authentication (TOTP)

All users can enable 2FA via authenticator apps. Admins can require MFA for all team members.

Passkeys / WebAuthn

Phishing-resistant passwordless authentication using hardware security keys or biometrics.

Single Sign-On (SSO)

OIDC-based SSO with Google Workspace, Azure AD, Okta, and Auth0.

Role-based access control

Three roles (admin, member, viewer) with hierarchical permissions enforced on every API route.

Session management

JWT sessions with configurable expiry. Admins can revoke all sessions for any user. Role changes force re-authentication.

Data Protection

Encryption in transit

All traffic is TLS 1.2+ encrypted. HSTS enforced with preload.

Encryption at rest

Database (Neon Postgres) encrypts all data at rest. Vercel integration tokens are AES-256 encrypted before storage.

PII redaction

API keys, passwords, emails, phone numbers, and SSNs are automatically redacted from trace logs before storage. Enabled by default.

Prompt storage control

Tenant-configurable: store prompts for debugging, or disable for privacy. When disabled, only cost and cache metadata is logged.

Data retention

Configurable trace retention (1-365 days). Automatic deletion of expired logs.

Data export

Full data export via API for GDPR/CCPA compliance.

Account deletion

Complete account and data deletion via API with audit trail.

Infrastructure

Your infrastructure

SemanticGuard proxy deploys to your own Vercel account. Your databases, your cache, your data. Nothing leaves your infrastructure.

API key pass-through

Upstream API keys (OpenAI, Anthropic, Google) are passed through at request time and never stored in plaintext. Only a one-way hash is retained.

Fail-open design

If the cache layer is unavailable, requests go directly to your LLM provider. Zero downtime risk from cache failures.

IP allowlisting

Restrict API key usage to specific IP addresses or CIDR ranges.

SSRF protection

Proxy blocks requests to private IPs, metadata endpoints, and localhost.

Monitoring & Audit

Audit logging

All admin actions (key creation, settings changes, role changes, logins) are recorded with timestamps, user IDs, and IP addresses.

Request tracing

Optional per-request logging with model, cost, cache status, and latency. Configurable per tenant.

Correctness validation

Continuous automated validation of cached responses using the tenant's own AI. Failures are flagged to admins.

CSRF protection

State-changing API requests require x-requested-with header. OAuth flows use CSRF state tokens.

SOC2 Type II

In progress

We have built the technical controls SOC2 Type II requires across the Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). We are preparing for a formal audit; we are not yet certified.

If your procurement process requires a SOC2 report, security questionnaire, or DPA, contact our team and we will share our current control documentation and audit timeline.

Contact Security Team