Conduix
Sign inGet started

Security

How Conduix stores secrets, hashes credentials, and protects your data in flight.

Secrets at rest

API key plaintext
Never stored. Hashed at creation; plaintext shown once.
TOTP secrets
AES-256-GCM with a master key from env.
Stripe keys, webhook secrets, price IDs
AES-256-GCM in platform_settings.
Slack/Teams/Turnstile keys
AES-256-GCM in platform_settings.
Recovery codes
Bcrypt hash. Plaintext shown once at enrollment.
User passwords
Bcrypt with 12 rounds.
BYO endpoint API keys
AES-256-GCM. Plaintext leaves only on outbound call.

The encryption master key (CONDUIX_SECRETS_KEY) lives in the environment, not the database. Without it, encrypted columns are unrecoverable — a defense-in-depth design that means a database leak alone doesn't leak secrets.

Authentication security

  • JWT (HS256) signed with a 256-bit secret; 30-day TTL. Re-validated against current org membership on every request.
  • API keys are hashed with SHA-256; only a prefix preview is stored for display.
  • TOTP 2FA optional for customers, mandatory for platform operators.
  • Recovery codes are bcrypt-hashed and single-use.
  • Failed-login UX returns a generic invalid_credentials — no enumeration of which accounts exist.

Bot protection

Cloudflare Turnstile gates the public auth surfaces: /login, /signup, /forgot-password, and the admin login. Tokens are verified server-side; failures fail closed.

Transport security

  • Production deploys terminate TLS at Cloudflare or your load balancer; the API itself runs on private network behind it.
  • HSTS, X-Frame-Options, X-Content-Type-Options, CORP, COOP all set via Helmet.
  • Body size limit: 10 MB.
  • Default request timeout: 30 s (120 s for reasoning models).

PII redaction

Toggleable per organization at /dashboard/settings. When enabled, Conduix scrubs the following patterns before logging requests and before sending to the upstream provider:

  • Email addresses
  • US Social Security Numbers
  • Phone numbers (E.164 + US formats)
  • Credit-card numbers (with Luhn check)

Per-key overrides allow tightening (e.g. internal-tools key with redaction off, customer-facing key with it on). See Governance.

Audit log

Every mutating action (login, key creation, billing, policy change, member changes, platform-settings updates, lead status changes) lands in an append-only audit_logs table with org id, user id, IP, user agent, and request id. View at /dashboard/audit or programmatically via GET /api/audit.

Compliance posture

  • Append-only audit log suitable for SOC 2 Type II evidence.
  • PII redaction at the org level.
  • Data residency at the request level (US / EU / APAC).
  • NET-30 invoice billing mode for enterprise + PO support.
  • Hard-delete of an org wipes the full data graph — supports GDPR right-to-be-forgotten.
  • DPA + sub-processor list on request — email legal@conduix.ai.

Reporting a vulnerability

Email security@conduix.ai with reproducible steps. We commit to acknowledging within 24 hours and a fix or status update within 7 days. Do not disclose publicly until we've confirmed the fix is shipped.

BYO endpointsGovernance