Trust

Security at Neural Router

Neural Router runs production inference for teams that can't compromise on security. This page describes the controls that protect your data, keys, and traffic.

Overview

Security is built into the platform, not bolted on. Every request is authenticated, every workspace is isolated, prompt content is minimized and optionally never stored, and policies are enforced server-side so they can't be bypassed per request. The sections below detail our controls; to report an issue, see Vulnerability disclosure.

Compliance

We maintain an independent compliance program and can provide reports under NDA.

SOC 2 Type II
ISO 27001
GDPR
HIPAA-ready

Customers can sign a Data Processing Addendum (DPA), and zero-retention and residency controls support regulated workloads.

Encryption

  • In transit — TLS 1.2+ for all API and dashboard traffic, with HSTS enforced.
  • At rest — AES-256 for stored data and backups.
  • Secrets — provider credentials and BYOK keys are encrypted with a managed KMS and isolated per workspace.

Access control

Access to production is least-privilege, role-based, and gated behind SSO with mandatory multi-factor authentication. Within the product, organizations get role-based access control (owner, admin, member), SSO enforcement, and granular API key scoping. Administrative access is logged to the immutable audit trail.

API key handling

API keys are generated with high entropy and shown only once at creation. We store a one-way reference plus the last four characters for display — never the full secret. Revoking a key takes effect immediately. Bring-your-own-provider keys are encrypted at rest and only the last four characters are ever surfaced in the UI.

Data handling

We minimize what we hold. Routing operates on metadata; prompt and completion content is transient by default and, with zero-retention enabled, is never written to disk. Workspaces can pin inference to a jurisdiction and attach a per-request region audit. We do not use customer prompts or completions to train models. See the Privacy Policy for full detail.

Infrastructure

The platform runs on hardened, audited cloud infrastructure across multiple regions with network isolation, automated patching, and infrastructure-as-code change control. Workspaces are logically isolated, and provider failover keeps traffic flowing if an upstream degrades.

Monitoring & response

We continuously monitor availability and security signals, run health probes against provider endpoints, and auto-suspend providers that breach SLA. We maintain a documented incident response plan and notify affected customers without undue delay, consistent with our contractual and legal obligations.

Vulnerability disclosure

We welcome reports from security researchers. If you believe you've found a vulnerability, email security@neuralrouter.ai with steps to reproduce. Please give us reasonable time to remediate before public disclosure and avoid accessing or modifying data that isn't yours. We do not pursue legal action against good-faith research that follows this policy.