← Back to AI Council

Security

Last updated: 13 May 2026

API key encryption

All BYO API keys are encrypted at rest using libsodium sealed boxes (XChaCha20-Poly1305) before being persisted to Postgres. Decryption requires the server-side private key held only in Supabase Edge Function memory and rotated quarterly. Keys are never logged to stdout, files, or telemetry.

Auth

We use Supabase Auth with magic-link sign-in (no passwords stored). PKCE flow for OAuth. Session cookies are httpOnly, Secure, SameSite=Lax.

Database

Postgres with Row-Level Security on every user-facing table. Service-role key never exposed to client code. Daily automated backups with 7-day point-in-time recovery (Supabase Pro).

Network

All traffic over HTTPS (TLS 1.3). HSTS enabled. CSP headers on all responses.

Third-party risk

Council pipeline routes queries to AI providers (Gemini / Groq / OpenRouter / Anthropic / OpenAI). Their security practices are documented on their respective sites. We do not store provider response data beyond what's needed to display your run history.

Disclosure

Report security issues to security@aicouncil.me. Acknowledgement within 48 hours. We do not have a paid bug bounty yet but credit researchers publicly with consent.

AI Council is operated by 313 AI Agency. Working toward SOC 2 Type I in 2027.