Security Policy

Security is at the core of the Noviqi AI gateway platform. This Security Policy outlines the systems, policies, and practices we implement to protect client API keys, user accounts, analytics data, and infrastructure connectivity.

Our security approach aligns with industry best practices and standard compliance guidelines including GDPR and CCPA.

1. Infrastructure Security

1.1 Cloud Hosting

Noviqi is hosted on leading, ISO 27001 and SOC 2 certified cloud infrastructure providers. These data centers employ rigorous physical security measures, including 24/7 security personnel, biometric validation, surveillance systems, and redundant power and cooling feeds.

1.2 Network Segmentation

Our application servers, databases, and caches reside in isolated Virtual Private Clouds (VPCs). Public traffic is directed solely through hardened load balancers and firewalls. All internal database connections require encryption and mutual authentication.

2. Data Encryption

2.1 Encryption in Transit

All data moving between the client application, the Noviqi gateway, the Next.js Dashboard, and upstream AI API providers is encrypted in transit using Transport Layer Security (TLS 1.3 preferred, minimum TLS 1.2). We enforce HTTP Strict Transport Security (HSTS) globally.

2.2 Encryption at Rest

Databases, object storage, and configuration systems are encrypted using AES-256 with keys managed by centralized cloud Key Management Systems (KMS). Custom LLM API provider credentials (e.g. OpenAI or Anthropic keys) are additionally encrypted at the application level using a dedicated AES-256-GCM cipher prior to database persistence.

3. API Gateway and Auth Protections

3.1 API Key Hashing

Noviqi API keys are generated using cryptographically secure random bytes. Only a SHA-256 hash of the key is stored in our databases, ensuring that if database access is compromised, your developer API keys remain unreadable.

3.2 Rate Limiting and Lockouts

Our gateway incorporates sliding-window rate limiting to prevent denial-of-service (DoS) attacks. User authentication endpoints feature brute-force protection, locking out IP addresses after multiple consecutive failed login attempts.

4. Vulnerability Disclosure Program

We welcome security researchers to inspect our platform and report vulnerabilities responsibly. We pledge to review and mitigate all legitimate reports promptly.

Please submit reports to security@noviqi.com. Do not engage in automated scanning, spamming, social engineering, or denial-of-service tests on our production clusters.