Security

🔒 Tenant Isolation Verified

Every API request is scoped to your tenant via Row-Level Security (RLS) policies on all 13+ database tables. Cross-tenant data access is architecturally impossible — verified by automated SQL injection testing.

• RLS policies on every table
• Parameterized SQL everywhere — zero f-string queries
• Tenant context set via SET LOCAL per request
• Cross-tenant read tests return empty results

🛡️ Automatic Secret Detection New

Every memory submitted to 0Latency is automatically scanned for API keys, tokens, passwords, and other secrets. If a secret is detected, the memory is rejected before storage — your keys never touch our database.

• 25+ secret patterns (AWS, GitHub, Stripe, OpenAI, etc.)
• Inline scanning on every /extract call
• Rejected with clear error — never stored
• Pattern list publicly available via API

🔑 API Key Management

SHA-256 hashed keys with instant rotation and revocation. Compromised key? Rotate in one API call. Old key is immediately invalid across all workers via Redis cache invalidation.

• SHA-256 hashed storage (Stripe pattern)
• Instant key rotation: POST /admin/rotate-key
• Instant revocation: POST /admin/revoke-key
• Cross-worker invalidation via Redis pub/sub

🚦 Rate Limiting

Redis-backed rate limiting that survives restarts. Per-tenant limits based on plan tier. No abuse, no overload, no surprise bills.

• Free: 20 RPM / Pro: 100 RPM / Enterprise: 500 RPM
• Redis-backed (persists across restarts)
• In-memory fallback if Redis is unavailable
• Per-tenant, not per-IP

📝 Audit Logging

Every memory operation is logged with tenant ID, request ID, timestamp, and action type. Full audit trail for compliance and debugging.

• Structured JSON logging
• X-Request-ID on every response
• Tenant ID in all request logs
• Webhook delivery audit log with HMAC verification

🔐 Webhooks with HMAC Signing

Every webhook payload is signed with HMAC-SHA256. Verify the signature to confirm it came from 0Latency and hasn't been tampered with. Failed deliveries retry with exponential backoff.

• HMAC-SHA256 signature on every payload
• Async delivery with retry + backoff
• Delivery status tracking and audit log
• Per-tenant webhook secrets

🧱 Input Validation & Sanitization

All inputs are validated and sanitized before processing. Error messages are generic — no database internals, no stack traces, no information leakage.

• Request size limits enforced
• Pagination with max limits
• Generic error messages (no DB error leakage)
• SQL injection test suite (automated regression)

🏗️ Infrastructure

HTTPS everywhere. Security headers on all responses. Admin endpoints restricted to localhost. Automated database backups.

• HTTPS with Cloudflare SSL termination
• X-Content-Type-Options, X-Frame-Options headers
• Admin endpoints: localhost-only IP allowlist
• Automated daily database backups

147 Automated Tests All Passing

Our test suite covers authentication, extraction, recall, SQL injection prevention, tenant isolation, pagination, input validation, key rotation, revocation, data export, batch operations, graph memory, webhooks, versioning, criteria scoring, custom schemas, organization memory, and security regression. Every commit runs the full suite.