Enterprise Trust Center

Controls buyers can inspect before they send production AI traffic.

Rocket Relay is built for teams that need lower model access cost without accepting opaque routing, casual data logging, or unclear credential handling.

Security review posture

Metadata-first logs, encrypted secrets, auditable admin actions.

No prompt body logging

Envelope-encrypted secrets

Tenant-scoped API keys

Webhook SSRF hardening

Prompt and response policy

Proxy logs are configured to keep customer prompt and response bodies out of application log files. Request logs store operational metadata only: model, provider, status, latency, token counts, API key, and timestamps.

Credential protection

Customer BYOK credentials and webhook secrets use envelope encryption at rest. Local KEK is available for small deployments, with AWS KMS support for production key wrapping.

Request metadata visibility

Teams can audit usage without exposing message content. The portal surfaces request IDs, token totals, response status, latency, provider, and model routing context.

Data retention controls

Usage and request-log tables are monthly partitioned. Operators can enforce retention windows through managed partitions and organization-level log retention settings.

Deletion commitments

Customer accounts, API keys, BYOK credentials, webhooks, and organization members are scoped by tenant and can be revoked or removed without touching other tenants.

Model authenticity monitoring

The admin console tracks fingerprint/eval check results, route health, 24-hour latency, error rate, and upstream account status by provider and model.

Continuous model-route evidence

Models tracked

Passing

Watch / warn / fail

Model	Status	Latest check	Latency	24h traffic

Public evidence is intentionally metadata-only: it excludes prompts, responses, upstream account IDs, auth IDs, and fingerprints used internally for operator review.

Security review evidence packet

Enterprise buyers need more than feature claims. This packet contains concrete operator-facing review materials that can be shared during procurement. Legal DPA terms should still be finalized per customer contract.

Security overviewArchitecture, authentication, logging, encryption, rate limits, and operational controls.Data processing summaryData categories, where each category is stored, retention posture, and deletion handling.Subprocessor listProviders involved in model routing, billing, email, and infrastructure operations.Incident responseDetection, triage, containment, customer notification, and post-incident review workflow.Deletion processAccount, credential, API key, request-log, and webhook deletion handling.Model authenticity monitoringHow fingerprint/eval checks and observed route health are recorded in the admin console.

Compliance note: this is an operational evidence pack, not a claim of SOC 2, ISO 27001, HIPAA, or GDPR certification. Those badges should only be added after a completed audit or signed legal review.

Current subprocessors

OpenAI / Anthropic / Google model providers, depending on configured upstream routing

Stripe for card billing and subscription checkout

Configured email provider for transactional account email

Hosting, database, Redis, and object infrastructure selected by the operator

Evidence mapped to implementation

Prompt and response bodies are not written to proxy logs by default.

proxy-config.yaml sets request-log=false and logging-to-file=false; business request logs store metadata fields only.

Secrets are protected at rest.

BYOK credentials, webhook secrets, Stripe settings, and SMTP secrets use envelope encryption; AWS KMS can wrap DEKs in production.

Tenant traffic is cost and abuse controlled.

Proxy middleware enforces RPM, TPM, daily request caps, concurrent request caps, and balance pre-authorization.

Webhook destinations are SSRF-hardened.

Webhook target validation rejects private targets and insecure HTTP unless explicitly enabled by operator config.

Model authenticity can be audited.

model_quality_checks records fingerprint/eval/route checks; admin model-quality page combines checks with 24h latency, error rate, and upstream pool health.

Retention is operationally enforceable.

Usage and request logs are monthly partitioned, and the partition service creates future partitions and drops expired partitions by retention window.

Last reviewed: April 24, 2026. Evidence should be re-reviewed after proxy, billing, logging, or infrastructure changes.