Assisters API
Security

Security Overview

How we protect your data and applications

Security Overview

TL;DR

TLS 1.3 encryption in transit, AES-256 at rest. SOC 2 Type II compliant. No training on customer data. API keys support domain restrictions. Built-in content moderation. 99.9% uptime SLA for enterprise.

Security is a top priority at Assisters. We implement industry-standard practices to protect your data and ensure reliable API access.

Infrastructure Security

Encryption in Transit

All API traffic uses TLS 1.3 encryption

Encryption at Rest

Data encrypted with AES-256

DDoS Protection

Automatic mitigation via Cloudflare

SOC 2 Compliant

Annual third-party audits

API Security

Authentication

All requests require Bearer token authentication:

curl https://api.assisters.dev/v1/chat/completions \
  -H "Authorization: Bearer ask_your_api_key"

API keys:

  • Prefixed with ask_ for easy identification
  • Hashed using SHA-256 before storage
  • Can be restricted to specific domains
  • Instantly revocable

Rate Limiting

Protect against abuse with tiered rate limits:

TierRequests/MinuteTokens/Minute
Free10100,000
Developer1001,000,000
Startup5005,000,000

Request Validation

All inputs are validated:

  • JSON schema validation
  • Maximum input sizes enforced
  • Malformed requests rejected with clear errors

Data Privacy

What We Store

Data TypeRetentionPurpose
API requests30 daysDebugging, abuse detection
Usage metrics90 daysBilling, analytics
Account dataAccount lifetimeService delivery
Payment infoHandled by StripeBilling

What We Don't Do

  • ❌ We don't train on your data
  • ❌ We don't sell your data
  • ❌ We don't share data with third parties (except as required by law)
  • ❌ We don't store API responses permanently

Data Processing

graph LR
    A[Your Request] -->|TLS 1.3| B[API Gateway]
    B --> C[Validation]
    C --> D[Model Inference]
    D --> E[Response]
    E -->|TLS 1.3| F[Your App]

    C -->|Logged| G[30-day Retention]

Content Safety

Built-in Protections

  1. Input Moderation: Optional content filtering on user inputs
  2. Output Validation: Responses can be moderated before delivery
  3. Prompt Injection Detection: Blocks common attack patterns

Content Moderation

Learn how to implement content moderation

Prompt Injection

Protect against prompt injection attacks

Compliance

Certifications

  • SOC 2 Type II: Annual audit
  • GDPR: EU data protection compliance
  • CCPA: California consumer privacy compliance

Data Residency

API requests are processed in:

  • Primary: US-East (AWS us-east-1)
  • Failover: US-West (AWS us-west-2)

Enterprise customers can request specific data residency requirements.

Security Best Practices

API Key Management

Never hardcode keys in source code

export ASSISTERS_API_KEY="ask_..."

Create new keys and revoke old ones periodically

For client-side usage, set allowed domains

{
  "allowed_domains": ["example.com", "*.example.com"]
}

Different keys for dev, staging, and production

Secure Integration

import os
from openai import OpenAI

# Good: Use environment variables
client = OpenAI(
    api_key=os.environ["ASSISTERS_API_KEY"],
    base_url="https://api.assisters.dev/v1"
)

# Bad: Hardcoded key
client = OpenAI(api_key="ask_abc123...")  # Never do this!

Backend Proxy

For web applications, route requests through your backend:

// Client-side: Call your backend, not the API directly
const response = await fetch('/api/chat', {
  method: 'POST',
  body: JSON.stringify({ message: userInput })
});

// Server-side: Your backend calls Assisters
app.post('/api/chat', async (req, res) => {
  const response = await client.chat.completions.create({...});
  res.json(response);
});

Incident Response

Reporting Security Issues

If you discover a security vulnerability:

  1. Email: [email protected]
  2. Do not disclose publicly before we've addressed it
  3. We'll acknowledge within 24 hours
  4. Critical issues receive priority attention

Status & Incidents

Monitor service status at status.assisters.dev:

  • Real-time status
  • Incident history
  • Scheduled maintenance
  • Email notifications

Enterprise Security

Additional features for Enterprise customers:

FeatureDescription
SSOSAML-based single sign-on
Custom Data RetentionConfigure retention periods
Dedicated InstancesIsolated infrastructure
Audit LogsDetailed access logs
IP AllowlistingRestrict API access by IP
BAABusiness Associate Agreement (HIPAA)

Contact Enterprise Sales

Learn about enterprise security features

Security Checklist

Use environment variables for API keys
Enable domain restrictions for client-side keys
Implement content moderation for user inputs
Route browser requests through a backend proxy
Monitor usage for anomalies
Rotate API keys regularly
Review our security updates in the changelog

Wallet & Top-Up

Manage your account balance for pay-as-you-go usage

Prompt Injection Protection

Defend against prompt injection and jailbreak attacks

On this page

Security OverviewInfrastructure SecurityAPI SecurityAuthenticationRate LimitingRequest ValidationData PrivacyWhat We StoreWhat We Don't DoData ProcessingContent SafetyBuilt-in ProtectionsComplianceCertificationsData ResidencySecurity Best PracticesAPI Key ManagementSecure IntegrationBackend ProxyIncident ResponseReporting Security IssuesStatus & IncidentsEnterprise SecuritySecurity Checklist