Trust
The page to send to your security reviewer: what TokSuan sees, what we store, how provider keys are protected, and where the current reliability boundary is.
Short version
TokSuan proxies model requests on your behalf. You bring the provider key. We store request metadata in a per-project ledger so you can audit spend, route turns to safer/cheaper models, and stop runaway agent loops before upstream billing.
BYO provider keys
You keep the OpenAI / Anthropic / DeepSeek provider relationship and bill. TokSuan does not resell tokens or take a spend spread.
KMS envelope encryption
Hosted BYO keys are AES-256-GCM encrypted with per-row DEKs wrapped by AWS or GCP KMS. Master keys never leave KMS.
Request body controls
Gateway deployments can store full bodies, sampled bodies, or compact stubs. Hosted defaults to a limited rolling window with deletion paths.
Self-host escape hatch
If hosted reliability, procurement, or data residency is a blocker, run the same Apache-2.0 code on your own infrastructure.
Live deployment posture
from gateway /health · cached 30s| Control | Status | Why security cares |
|---|---|---|
| BYO key encryption | env-master-key | KMS-backed hosted deployments avoid raw provider keys at rest. |
| Request body storage | sample | Controls whether prompts are retained fully, sampled, or stubbed. |
| Quality embedding | not configured | Enables semantic comparison for shadow A/B quality proof. |
| Internal replay | not configured | Replay endpoint stays disabled unless the shared secret is set. |
| OpenTelemetry export | not configured | Shows whether traces leave the deployment for an external backend. |
| Baseline policy | 5 bucket(s) | Explains whether automatic route-down policy is active. |
For the full operator-facing integration list, open Settings → System integrations.
What data moves where
| Data | Where it goes | Why |
|---|---|---|
| Prompt and response body | Your chosen upstream provider; TokSuan request ledger | Forward the request, compute cost, debug failures, prove savings |
| TokSuan API key | TokSuan database as SHA-256 hash | Authenticate gateway requests without storing plaintext |
| BYO provider key | KMS-encrypted database row; decrypted on the gateway hot path | Call upstream using your own provider account |
| Billing metadata | Stripe + local subscription mirror | Plan enforcement, upgrades, cancellation, receipts |
Current reliability boundary
TokSuan does not offer a formal hosted SLA yet. We are explicit about that because a false 99.9% promise would be worse than an honest boundary. If reliability is a procurement blocker today, self-host the same code under your own SLO.