All user authentication is handled by Auth0, a SOC 2 Type II certified identity platform. We support password-based login, OAuth social providers, and enterprise SSO via SAML/OIDC on eligible plans. Passwords are never stored on ModelSpend servers. Short-lived signed JWTs are used for all API sessions.
Every request to the ModelSpend API is authenticated and authorised before any data is accessed. Tenant isolation is enforced at the database level — every query is scoped by tenant_id. Within a tenant, role-based access control (owner, admin, member) restricts which resources each user can read or modify.
Provider API keys (OpenAI, Anthropic, etc.) stored in ModelSpend are encrypted at rest. Keys are scoped to your workspace and are never included in client-side code or exposed in logs. Audit log entries record which key was used for each request without revealing the key value.
Every API request, routing decision, budget enforcement action, and administrative change is written to an immutable audit log. Enterprise plans can export audit logs to external SIEM tools (Splunk, Datadog, Elastic) for centralised retention and compliance review.
All data in transit is encrypted using TLS 1.2 or higher. Database storage uses encryption at rest. We do not persist prompt content beyond the routing request duration unless prompt logging is explicitly enabled by the tenant administrator.
Enterprise plans include configurable execution policies that can block or redact sensitive data patterns in AI prompts before they leave your infrastructure. Policies are evaluated synchronously in the routing path and decisions are fully auditable.
If you discover a security vulnerability in ModelSpend, please report it to us at security@modelspend.best. We aim to acknowledge all reports within 48 hours and will work with you to assess and address the issue responsibly. Please do not publish vulnerability details until we have had the opportunity to investigate and patch.
Our team is available to discuss security requirements for enterprise deployments.
Contact us