Security
Last reviewed: July 3, 2026
IQ Routing handles two of the more sensitive data classes a buyer cares about: the prompts that leave the building, and the provider keys that pay for them. Each control below carries its status before the description: what is live in production today, and gateway PII redaction, which is on our roadmap.
Live today
Encryption Live today
Provider keys are encrypted at rest under authenticated encryption on every path. The per-request credential store the gateway reads on each routed call uses Fernet authenticated encryption (AES-128-CBC with an HMAC integrity tag); the row is decrypted once per request and the cleartext key is never serialised back to disk and never reaches React state outside the upload modal. The key-vault reveal path, which lets an operator recover a key through a step-up-authenticated flow, uses AES-256-GCM envelope encryption keyed off a master key held as a Fly secret (KEY_VAULT_MASTER_KEY_V1) that never lands in the gateway process logs. Database connections to Postgres run over TLS. Redis runs inside the same Fly private network and is not internet-reachable.
Audit log Live today
Every state-changing mutation across orgs, teams, providers, keys, alerts, trial grants, and ERP previews writes a row into org_audit_events with the user identifier, the action name, the prior state, the new state, and a timestamp. The audit log is append-only; rows cannot be edited or deleted from the dashboard. CSV export streams uncapped via cursor pagination so a 90-day export cannot abort mid-stream.
Authentication Live today
Production sign-in runs on Clerk (hosted at clerk.iq-routing.com), which issues the session and manages credentials. Clerk identity is bridged to the gateway with HMAC-trusted verification across the gateway-dashboard boundary. The signed iq.active_org cookie carries the active-org selection; tampering invalidates the cookie.
Access enumeration mask Live today
Every admin endpoint returns 404 rather than 403 for resources outside the caller's org. The mask prevents an attacker from probing org IDs via the API surface. The single-point-of-truth helper applies the mask to every admin path; the inheritance is automatic on any new endpoint.
Per-statement DB timeouts Live today
Every database call from the critical-path admin endpoints carries a per-statement timeout (one to ten seconds depending on the endpoint's expected work). A slow query cannot starve the connection pool or hold a transaction open long enough to block other requests.
SOC2 evidence pack Live today
Available on request to Enterprise customers, generated from the append-only audit log and access-control matrix. The export builds a ZIP that includes the audit log with its chain-of-custody columns intact. Reach out to the support contact in the footer to request a pack.
Roadmap
Gateway PII redaction Roadmap
PII redaction of prompts at the gateway boundary is on the roadmap and is not live at the request boundary today. Until it ships, the gateway does not strip identifiers from prompts before they reach upstream providers. Treat upstream providers as recipients of the payloads you send.
Reporting a vulnerability
Email security issues to security@iq-routing.com. We acknowledge within one business day and triage within five. Our machine-readable disclosure policy is published at /.well-known/security.txt.