Skip to content
IQ Routing

Security

Last reviewed: July 3, 2026

IQ Routing handles two of the more sensitive data classes a buyer cares about: the prompts that leave the building, and the provider keys that pay for them. Each control below carries its status before the description: what is live in production today, and gateway PII redaction, which is on our roadmap.

Live today

Encryption
Live today

Provider keys are encrypted at rest under authenticated encryption on every path. The per-request credential store the gateway reads on each routed call uses Fernet authenticated encryption (AES-128-CBC with an HMAC integrity tag); the row is decrypted once per request and the cleartext key is never serialised back to disk and never reaches React state outside the upload modal. The key-vault reveal path, which lets an operator recover a key through a step-up-authenticated flow, uses AES-256-GCM envelope encryption keyed off a master key held as a Fly secret (KEY_VAULT_MASTER_KEY_V1) that never lands in the gateway process logs. Database connections to Postgres run over TLS. Redis runs inside the same Fly private network and is not internet-reachable.

Audit log
Live today

Every state-changing mutation across orgs, teams, providers, keys, alerts, trial grants, and ERP previews writes a row into org_audit_events with the user identifier, the action name, the prior state, the new state, and a timestamp. The audit log is append-only; rows cannot be edited or deleted from the dashboard. CSV export streams uncapped via cursor pagination so a 90-day export cannot abort mid-stream.

Authentication
Live today

Production sign-in runs on Clerk (hosted at clerk.iq-routing.com), which issues the session and manages credentials. Clerk identity is bridged to the gateway with HMAC-trusted verification across the gateway-dashboard boundary. The signed iq.active_org cookie carries the active-org selection; tampering invalidates the cookie.

Access enumeration mask
Live today

Every admin endpoint returns 404 rather than 403 for resources outside the caller's org. The mask prevents an attacker from probing org IDs via the API surface. The single-point-of-truth helper applies the mask to every admin path; the inheritance is automatic on any new endpoint.

Per-statement DB timeouts
Live today

Every database call from the critical-path admin endpoints carries a per-statement timeout (one to ten seconds depending on the endpoint's expected work). A slow query cannot starve the connection pool or hold a transaction open long enough to block other requests.

SOC2 evidence pack
Live today

Available on request to Enterprise customers, generated from the append-only audit log and access-control matrix. The export builds a ZIP that includes the audit log with its chain-of-custody columns intact. Reach out to the support contact in the footer to request a pack.

Roadmap

Gateway PII redaction
Roadmap

PII redaction of prompts at the gateway boundary is on the roadmap and is not live at the request boundary today. Until it ships, the gateway does not strip identifiers from prompts before they reach upstream providers. Treat upstream providers as recipients of the payloads you send.

Reporting a vulnerability

Email security issues to security@iq-routing.com. We acknowledge within one business day and triage within five. Our machine-readable disclosure policy is published at /.well-known/security.txt.