Security

Your provider keys (Anthropic, OpenAI, Google, Mistral, DeepSeek, etc.) are encrypted at rest with AES-256-GCM, via per-workspace HKDF-SHA256 key derivation. Every crypto op includes additional authenticated data (AAD) binding the ciphertext to a workspace_id:provider pair, making ciphertext reuse across tenants impossible even with raw DB access.

The master encryption key (HIWAY_MASTER_KEY) is never stored in the database, never logged, and is injected into the container via env var. An off-site backup of the master key is maintained off-VPS.

Bottom line: a raw dump of our Postgres database does not let an attacker decrypt a single BYOK key.

Each workspace is isolated via:

• Row-Level Security on critical Postgres tables (workspace_members, api_keys, workspace_api_keys, invoices).
• Per-workspace crypto derivation (HKDF seeded with workspace_id) for the BYOK vault.
• HiWay API keys (hw_live_) stored only as SHA-256 hashes; the plaintext is shown once at creation.
• Immutable admin audit log of every admin action (impersonation, suspension, revocation) with reason, IP, user-agent, retained 5 years.

Prompts routed through HiWay2LLM are not logged on our servers. Our analytics pipeline (ClickHouse) only records metadata: request_id, timestamp, chosen provider, chosen model, token counts (input/output), cost estimate, latency, HTTP status. The message content never lands on disk.

The only case where content is stored on our side is if the Customer explicitly enables the Semantic Cache (Scale+ plans): cached prompts are hashed and stored vectorially in Qdrant with encryption in transit + at rest. Optional PII masking (regex on emails, phones, card numbers, IBANs, API keys) can be enabled so even the cache never sees real identifiers.

Customers can purge their cache at any time via dashboard or API.

HiWay2LLM runs on a dedicated VPS hosted at OVH (France), fully under our control. Current controls:

• UFW firewall — only 22 (SSH), 80 (HTTPS redirect), 443 (HTTPS) are exposed.
• SSH — public-key only, root disabled, fail2ban active.
• Unattended-upgrades enabled for OS security patches.
• HTTPS headers — HSTS 1y with preload, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin, locked Permissions-Policy.
• Docker containers — all backend services listen on 127.0.0.1 only (no direct network exposure).
• Daily backups — Postgres (encrypted dump 03:00 UTC, 30-day retention), Redis (daily snapshot, 14-day retention), .env secrets versioned off-site.

Accounts are protected by:

• bcrypt + salt for passwords (never SHA or MD5).
• TOTP 2FA optional for all users, mandatory for admins. Per-user AES-GCM encrypted secret. QR code for enrollment (Authy, 1Password, Google Authenticator, Bitwarden compatible).
• 10 backup codes generated at enrollment, hashed in DB, single-use.
• HS256 JWT tokens with expiry, revocation via JTI + Redis.
• Enumeration protection: after 10 failed hw_live_ attempts from one IP in 2 min, that IP is blocked for 1 hour.

Multiple layers are active by default:

• Guardian Anti-Loop — 5 in-memory rules (duplicate detection, cost spike, context bloat, zombie agent, rate-limit), < 0.5 ms per request. Per-workspace editable.
• Budget Control — monthly cap on estimated BYOK upstream cost, verdicts BLOCK / DOWNGRADE / LIGHT_ONLY. Keeps a compromised key from burning your provider bill.
• Burn-rate alerting — auto email at 50 / 80 / 95 % of plan quota.
• Rate limits — per-workspace (plan-based) and per HiWay key (configurable).
• Admin audit log — every admin action is logged with mandatory reason, 5-year retention.

GDPR — Mytm-Group SAS is data controller for account data (email, subscription, billing) and data processor for content in routed prompts. 100% France (EU) hosting. No transfer of account data outside the EU. Routed requests may be sent to third-party LLM providers (Anthropic US, OpenAI US, etc.); each provider's terms are listed in our Privacy Policy.

Data Processing Agreement (DPA) — available on request for Business and Enterprise plans. Email legal@hiway2llm.com.

SOC 2 Type II — audit kicked off Q2 2026 with Drata, full report expected Q4 2026. We share a bridge letter on request for enterprise prospects that need it.

No HIPAA or BAA — the service is not intended for protected health information.

We maintain a security incident and disclosure process:

• Report — send your finding to security@hiway2llm.com. We acknowledge within 2 business days.
• Triage — severity rating (P0 critical / P1 high / P2 medium / P3 low) within 3 business days.
• Fix — P0 in 24h, P1 in 7 days, P2 in 30 days, P3 best-effort.
• Disclosure — for incidents affecting Customer data, direct email notification within 72 hours (GDPR art. 33 compliant) with scope, affected volume, actions taken, recommendations.
• Bug bounty — no formal program yet. Good-faith researchers get public credit (with consent) and, for P0/P1 findings, a discretionary bounty.

In scope: HiWay2LLM code, VPS infra, dashboard, API. Out of scope: third-party provider vulnerabilities (Anthropic, OpenAI, etc.), social engineering, volumetric DoS, physical exploits.