Resources

Security

Enterprise-grade security and compliance for AI applications

ParrotRouter is SOC 2 Type II certified and maintains the highest security standards for handling sensitive data.

Security Overview

End-to-End Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256-GCM

Zero Data Retention

We don't store your prompts or completions unless explicitly enabled for debugging

Infrastructure Security

Hosted on SOC 2 compliant infrastructure with 24/7 monitoring and DDoS protection

Access Controls

Role-based access control, SSO support, and comprehensive audit logging

Compliance & Certifications

SOC 2 Type II

Annual third-party audits verify our security controls, availability, processing integrity, confidentiality, and privacy.

Certified

GDPR Compliant

Full compliance with EU data protection regulations, including data portability and right to deletion.

Compliant

HIPAA Ready

Business Associate Agreements (BAA) available for healthcare applications handling PHI.

Available

PCI DSS

Level 1 compliance for secure payment processing and credit card data handling.

Level 1

API Key Security

Follow these best practices to keep your API keys secure:

Never expose keys in client-side code

// ❌ Bad: API key exposed in browser
const response = await fetch('https://api.parrotrouter.com/v1/chat/completions', {
  headers: {
    'Authorization': 'Bearer sk-live-xxxx' // Never do this!
  }
})

// ✅ Good: Call your backend API
const response = await fetch('/api/chat', {
  method: 'POST',
  body: JSON.stringify({ message })
})

Use environment variables

# .env.local (Next.js)
PARROTROUTER_API_KEY=sk-live-xxxx

# Never commit .env files to version control
echo ".env*" >> .gitignore

Implement key rotation

Regularly rotate your API keys and revoke unused ones. Set up monitoring for key usage patterns.

Use IP whitelisting

Restrict API key usage to specific IP addresses or CIDR ranges for production environments.

Data Privacy

Data Handling Practices

No training on customer data - your data is never used to improve models
Automatic data purging after 30 days (configurable to immediate deletion)
Data residency options for EU, US, and APAC regions
Full data export and deletion capabilities via API

PII Detection: ParrotRouter automatically scans for and can redact personally identifiable information (PII) before sending to model providers.

Security Features

Rate Limiting

Automatic rate limiting and DDoS protection on all endpoints

Request Validation

Input sanitization and validation to prevent injection attacks

Audit Logging

Comprehensive logs of all API access with 1-year retention

Webhook Security

HMAC signatures on all webhook payloads for verification

Incident Response

Security Incident Procedures

Detection & Analysis

24/7 monitoring with automated alerts for suspicious activity

Containment

Immediate isolation of affected systems and API key revocation

Communication

Customer notification within 72 hours per compliance requirements

Recovery

System restoration and security hardening based on findings

Contact Security Team

For security concerns, vulnerability reports, or compliance questions:

Email: security@parrotrouter.com

PGP Key: Available at parrotrouter.com/.well-known/security.txt

Bug Bounty: Report vulnerabilities through our HackerOne program