Your API keys are safe.

Server-side AES-256-GCM encryption, EU data center, no call content logging.

We decrypt momentarily in memory per call — content is never stored.

Join the beta

/ how encryption works

How encryption works

Your credentials are protected by server-side industry-standard encryption. On each call, we decrypt momentarily, invoke the API, and discard the result.

Add your API key

You enter your NAV/Billingo/MiniCRM API key in the dashboard over HTTPS.

Encrypted storage

We encrypt server-side with AES-256-GCM using a per-user, per-connector HKDF-derived key, stored in our EU data center.

Stateless MCP call

When an AI agent triggers a tool call, we decrypt the key momentarily in memory, invoke the API, and do NOT store request or response content.

/ threat model

Threat model

We openly state what our architecture protects against, and what it does not. Most vendors never tell you this.

🛡️ What we protect against

+Database breach

The AES encryption key is stored in an isolated key store, NOT in the database. A DB breach alone is not sufficient.

+Network interception

TLS 1.3 protects all data in transit.

+Cross-user breach

Per-user HKDF key derivation means one account compromise does not affect other users.

⚠️ What we do not protect against

×Server compromise

If our server secret key is leaked, API keys can be decrypted. We keep the AES key in an isolated key store, separate from the DB.

×Compromised device

If your device has malware, API keys entered in the dashboard could be captured before encryption.

Our architecture is auditable. Request the technical documentation if you need it.

/ compliance

Compliance and data protection

EU data center

All data is stored in the Frankfurt region (eu-central-1).

GDPR-compatible

Data minimization: no personal data stored in plaintext beyond your email address.

SOC2-compatible architecture

Our architecture follows SOC2 principles. Formal audit planned.

Join the beta

← Back to homepage