Security

Spendline, Inc. · Last updated: April 30, 2026

Spendline sits in the critical path of your production AI API traffic. Security is not a checkbox — it is a core product requirement. This page describes how we protect your data and requests.

TLS everywhere
All traffic between your application and Spendline is encrypted via TLS 1.2+. We do not accept unencrypted connections.
Encrypted at rest
Usage records, API keys, and account data are encrypted at rest in our database using AES-256.
Hashed credentials
Passwords are hashed using bcrypt. API keys are stored as hashed values — we cannot recover your key once issued.
Minimal prompt storage
We process request and response metadata only. Prompt and completion content is not stored by default.

Infrastructure

Spendline is hosted on Railway, which provides managed infrastructure with automated TLS, private networking between services, and environment-level secret management. Our database runs on managed PostgreSQL with automated backups and point-in-time recovery.

Authentication and Access Control

API Proxy Security

Your provider API keys (OpenAI, Anthropic, etc.) are stored encrypted in our database and decrypted only at request time within the proxy. They are never transmitted to the client or logged in plaintext. Connections from Spendline to AI providers are made over TLS.

Security Headers

The Spendline application enforces a strict Content Security Policy (CSP), X-Content-Type-Options, X-Frame-Options, Strict-Transport-Security (HSTS), and Permissions-Policy on all responses.

Vulnerability Disclosure

If you discover a security vulnerability in Spendline, please report it responsibly to aary@spendline.ai. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We do not have a formal bug bounty program at this time but we appreciate responsible disclosure.

Compliance Roadmap

Security questions or concerns?

Contact us at aary@spendline.ai. For non-urgent security questions, this is the fastest path to a response.