Statelessness is the product
Message contents are processed in request-scoped memory and are never persisted and never logged. Completing a request leaves behind exactly one row of usage metadata (type, size, duration, status, warning codes). This is a hard product guarantee, not a configuration default.
The guarantee — and the two honest exceptions
Rule 2 of the engine forbids persisting or logging message bodies. There are exactly two sanctioned carve-outs, both time-bounded and encrypted. Any other table, column, cache, or log line carrying message content would be a violation of this rule regardless of encryption or TTL.
(a) Idempotency response cache
So a retried POST returns the same result — but only when a request opts in with an Idempotency-Key. Held in the API's process memory only (never written to disk or database), keyed by a hash, 24-hour TTL. The raw request body is never stored — only its SHA-256 hash.
(b) Async batch job store
Batch inputs/results held as AES-256-GCM ciphertext only. Inputs are purged at item completion; results default to a 1-hour TTL (customer-set 1 minute – 24 hours max), or on demand via DELETE /v1/jobs/{id}.
Data classification
How each class of data is handled and retained, mirrored from our internal Data Retention & Classification policy.
| Class | Data | Examples | Handling & retention |
|---|---|---|---|
| C1 | Message payloads | Request/response bodies of convert / normalize / validate / enrich (names, IBANs, references, remittance text) | In request-scoped memory only. Never persisted, never logged — except the two sanctioned exceptions below, and no others. |
| C2 | Credentials & secrets | API keys, OAuth client secrets, webhook signing secrets, connection tokens, sealing/signing keys | Stored hashed (SHA-256, show-once) where only verification is needed, or sealed (AES-256-GCM) where plaintext must be used outbound. Never logged. |
| C3 | Tenant configuration | Webhook URLs, allowed CIDRs, mapping-override documents — settings that shape processing but hold no message content | Plaintext in Postgres; retained while the account is active; deleted on customer instruction. |
| C4 | Usage & audit metadata | usage_events (type, formats, byte size, duration, status, warning count), audit_events, structured logs (method, path, status, latency, request id, key prefix) | Plaintext in Postgres / JSON logs; the billing and audit source of truth. Contains no message content. |
API-key handling
Keys are stored as SHA-256 hashes — the plaintextsk_live_… / sk_test_… value isshown exactly once at creation and is never retrievable again. Logs carry at most an 8-character lookup prefix, never the key. Revoke a key any time from the dashboard.
Single region & erasure
All processing and metadata storage stay in the EU (Frankfurt, Germany) — Cloudflare compute and Neon/AWS Postgres. Statelessness makes right-to-erasure trivial: for payloads there is nothing to erase. Tenant offboarding deletes configuration and credentials; metadata is retained only as far as billing/audit and statutory periods require.