Trust Center

Security & Compliance

Everything your CISO and compliance team need to approve Daylite. SOC 2 report available under NDA. BAA on request.

Encryption

In Transit
All API traffic encrypted with TLS 1.3. HTTPS enforced on all endpoints. Hosted on Vercel Edge Network with automatic certificate management.
At Rest
All stored data encrypted with AES-256. Database encryption managed by infrastructure provider. API keys stored as salted hashes.

Authentication & Access

SSO/SAML — Enterprise single sign-on via WorkOS. Connect your Okta, Azure AD, or Google Workspace.

API Key Authentication — Bearer token auth on all endpoints. Keys revocable instantly.

Provider Key Isolation — Your OpenAI/Anthropic keys passed via header, never stored. Zero data retention on provider credentials.

Data Handling

Zero Prompt Storage — We do not store, log, or train on your prompts or completions. Only metadata (token counts, costs, customer IDs) is retained.

Tenant Isolation — Each customer's usage data is logically isolated. No cross-tenant data access.

Data Residency — API processing in US regions. Enterprise tier: dedicated deployment in your preferred region.

Subprocessors

Services that process data on our behalf. Updated March 2026.

ServicePurposeLocation
VercelAPI hosting, edge networkUS (global edge)
WorkOSSSO/SAML authenticationUS
StripePayment processingUS
CloudflareDNS, DDoS protectionGlobal
Provider API calls (OpenAI, Anthropic, Together AI) are proxied — your keys, direct connection. Daylite does not store prompts.

Compliance

SOC 2 Type II
In progress. Expected completion Q3 2026. Request a SOC 2 Readiness Letter: security@daylite.ai
DPA
Data Processing Addendum available on request. Contact: legal@daylite.ai

Supply Chain Security

AI infrastructure tools sit between your application and your model providers, holding privileged API keys. A compromised proxy means compromised credentials for your entire AI stack.

Managed Release Pipeline — All releases go through internal code review, SAST scanning, and signed builds. No community-maintained PyPI packages in the critical path.

Security Through Consolidation — One audited control plane replaces 4-6 fragmented open-source dependencies, reducing your attack surface.

Dependency Pinning — All dependencies locked to exact versions with hash verification. No automatic minor/patch upgrades in production.

Report a Vulnerability

Email security@daylite.ai. We respond within 24 hours and follow responsible disclosure practices.