Legal

Security

Public security posture for Switchboard's hosted AI gateway, auth, billing, and operational systems.

Production legal documents

Last updated June 8, 2026. Version 2026-06-production-v1.

Credential protection

Switchboard hashes API keys and session tokens where appropriate, scopes credentials to accounts, projects, and modes, and distinguishes secret keys from publishable keys. Developers must keep secret project keys, account sessions, provider keys, and webhook secrets out of browser and mobile code.

Transport and application controls

Switchboard uses TLS for browser and API traffic, Phoenix session protections, CSRF protections for browser forms, origin allowlists for browser integrations, hosted backend project isolation, rate limiting, and webhook signature verification for Stripe events.

Data and operations

Switchboard records usage events, gateway request state, billing audit rows, webhook processing state, and operational logs to support billing, reliability, security, and idempotency. Access to production systems should be limited to authorized operators with a business need.

Backups and incident response

Production readiness requires point-in-time database recovery, tested restore procedures, health checks, alerting, billing queue monitoring, webhook error monitoring, and an incident response process for privacy, security, provider, and billing events.

Vulnerability reporting

Security researchers and customers should report suspected vulnerabilities through the published support or security contact. A dedicated security address will be published when available.

Customer responsibilities

Customers must configure allowed origins carefully, rotate keys after exposure, protect end-user sessions, review model outputs for their use case, monitor their own end-user abuse, and maintain customer-facing security and privacy obligations for their applications.