Skip to content
Security & trust

Statelessness is the product

Message contents are processed in request-scoped memory and are never persisted and never logged. Completing a request leaves behind exactly one row of usage metadata (type, size, duration, status, warning codes). This is a hard product guarantee, not a configuration default.

The guarantee — and the two honest exceptions

Rule 2 of the engine forbids persisting or logging message bodies. There are exactly two sanctioned carve-outs, both time-bounded and encrypted. Any other table, column, cache, or log line carrying message content would be a violation of this rule regardless of encryption or TTL.

(a) Idempotency response cache

So a retried POST returns the same result — but only when a request opts in with an Idempotency-Key. Held in the API's process memory only (never written to disk or database), keyed by a hash, 24-hour TTL. The raw request body is never stored — only its SHA-256 hash.

(b) Async batch job store

Batch inputs/results held as AES-256-GCM ciphertext only. Inputs are purged at item completion; results default to a 1-hour TTL (customer-set 1 minute – 24 hours max), or on demand via DELETE /v1/jobs/{id}.

Data classification

How each class of data is handled and retained, mirrored from our internal Data Retention & Classification policy.

ClassDataExamplesHandling & retention
C1Message payloadsRequest/response bodies of convert / normalize / validate / enrich (names, IBANs, references, remittance text)In request-scoped memory only. Never persisted, never logged — except the two sanctioned exceptions below, and no others.
C2Credentials & secretsAPI keys, OAuth client secrets, webhook signing secrets, connection tokens, sealing/signing keysStored hashed (SHA-256, show-once) where only verification is needed, or sealed (AES-256-GCM) where plaintext must be used outbound. Never logged.
C3Tenant configurationWebhook URLs, allowed CIDRs, mapping-override documents — settings that shape processing but hold no message contentPlaintext in Postgres; retained while the account is active; deleted on customer instruction.
C4Usage & audit metadatausage_events (type, formats, byte size, duration, status, warning count), audit_events, structured logs (method, path, status, latency, request id, key prefix)Plaintext in Postgres / JSON logs; the billing and audit source of truth. Contains no message content.

API-key handling

Keys are stored as SHA-256 hashes — the plaintextsk_live_… / sk_test_… value isshown exactly once at creation and is never retrievable again. Logs carry at most an 8-character lookup prefix, never the key. Revoke a key any time from the dashboard.

Single region & erasure

All processing and metadata storage stay in the EU (Frankfurt, Germany) — Cloudflare compute and Neon/AWS Postgres. Statelessness makes right-to-erasure trivial: for payloads there is nothing to erase. Tenant offboarding deletes configuration and credentials; metadata is retained only as far as billing/audit and statutory periods require.