API Key Security
Encryption
Your API keys are encrypted using AES-256-GCM:- Industry-standard encryption
- Keys are encrypted at rest
- Decrypted only when needed for API calls
Storage
| Aspect | How It Works |
|---|---|
| At rest | Encrypted in database |
| In transit | HTTPS/TLS encryption |
| Display | Never shown after saving |
| Access | Only your account can use your keys |
What We Never Do
- ❌ Store keys in plain text
- ❌ Log keys in application logs
- ❌ Share keys between accounts
- ❌ Display keys after initial entry
Once you save an API key, you cannot view it again. You can only delete and add a new one.
Data Security
Your CSV Data
| Aspect | Protection |
|---|---|
| Storage | Encrypted cloud storage (AWS S3) |
| Access | Isolated per account |
| Transmission | HTTPS/TLS encrypted |
| Retention | You control deletion |
Data Isolation
Your data is completely isolated:- Other users cannot see your files
- Other users cannot see your results
- Other users cannot see your templates
- No cross-account data access
AI Processing
When BYOK mode is used:- Data goes directly to OpenAI under your API key
- No third-party AI intermediaries
- Subject to OpenAI’s data policies
- Data goes to OpenAI under Smelt’s API key
- Same OpenAI data policies apply
Account Security
Password Protection
- Passwords hashed with bcrypt (cost factor 12)
- Never stored in plain text
- Rate limiting on login attempts (5 attempts / 15 min)
- Rate limiting on registration (3 / hour)
Session Security
- JWT-based sessions
- 30-day session duration
- Automatic logout after inactivity
Password Reset
- Secure token-based reset
- Tokens expire after 1 hour
- Tokens are single-use
- Rate limited (3 requests / hour / email)
Infrastructure Security
Application Security
| Measure | Implementation |
|---|---|
| Security headers | X-Frame-Options, CSP, etc. |
| HTTPS | All traffic encrypted |
| Rate limiting | Protected endpoints |
| Input validation | All user input validated |
Data Backup
- Regular database backups
- Encrypted backup storage
- Point-in-time recovery capability
Compliance Considerations
GDPR
For EU users:- You can request data export
- You can request account deletion
- Data processing documented
Data Retention
- Data retained while account active
- Deleted upon account deletion request
- No automatic data mining or resale
Security Best Practices
Use a strong password
Use a strong password
At least 12 characters with mixed case, numbers, and symbols.
Don't share API keys
Don't share API keys
Use dedicated API keys
Use dedicated API keys
Create an API key specifically for Smelt so you can track and revoke it separately.
Monitor API usage
Monitor API usage
Regularly check your OpenAI usage dashboard for unexpected activity.
Set spending limits
Set spending limits
Configure spending limits in OpenAI to prevent unexpected costs.
Reporting Security Issues
If you discover a security vulnerability:- Email [email protected]
- Do not publicly disclose until resolved
- We’ll respond within 48 hours