Security & Compliance
Modelane is designed for teams that need auditable, compliant AI infrastructure. This page documents our security practices, data handling policies, and compliance posture.
Data Handling
- Encryption in transit
- TLS 1.3 with modern cipher suites only. All API traffic is encrypted end-to-end.
- Encryption at rest
- AES-256-GCM for all stored data, including metadata and audit logs.
- Default retention
- No request or response content is retained beyond the request lifetime. Modelane does not store prompts, completions, or any inference payload by default.
- Audit logs
- Metadata-only logs (request ID, timestamp, model class, token count) are retained for 30 days for abuse detection and billing reconciliation. All logs are encrypted at rest.
- Customer-configurable retention
- Enterprise customers can configure custom retention windows and BYOK (Bring Your Own Keys) for provider-level data isolation.
Infrastructure
- Hosting region
- Singapore (primary), with planned multi-region availability for Enterprise customers.
- Network isolation
- VPC-isolated compute with no public ingress except the API endpoint. Internal services communicate over private networks only.
- Secrets management
- HSM-backed key storage with automatic rotation. API keys are hashed and never stored in plaintext.
- DDoS protection
- Cloudflare-fronted infrastructure with per-key rate limiting and automatic traffic analysis.
Compliance Posture
- SOC 2 Type I
- Roadmap target: Q4 2026. We are actively working toward SOC 2 Type I certification.
- GDPR
- Data Processing Agreement (DPA) available under our standard contract. See /legal/dpa.
- PDPA (Singapore)
- Compliant by default. Modelane is subject to and compliant with the Personal Data Protection Act 2012 of Singapore.
- HIPAA
- Available for Enterprise customers. Business Associate Agreement (BAA) provided on request.
- Data residency
- Singapore-primary. Multi-region data residency options available for Enterprise customers with specific jurisdictional requirements.
Responsible Use
We enforce a strict Acceptable Use Policy aligned with the policies of our upstream model providers. See /legal/aup for the full policy.
All accounts undergo verification before production access is granted. We require a valid work email and company information during registration.
Modelane does not train models on customer data. Inference payloads are processed in real time and are not retained, logged, or used for any purpose beyond fulfilling the request.
We honor all upstream provider safety classifiers and abuse-detection systems. Content that is rejected by an upstream provider will not be rerouted to a different provider.
Vulnerability Disclosure
If you believe you have found a security vulnerability in Modelane, please report it to security@modelane.ai.
We respond to all security reports within 24 hours.
For our full disclosure policy, see /.well-known/security.txt.