Trust & Safety

Security

Last updated: May 2026

Key facts

✓API keys are AES-256 encrypted before storage — never stored in plaintext

✓Keys are decrypted in memory only at request time and immediately discarded

✓LLM Council never logs, caches, or retains your plaintext API keys

✓Authentication is delegated to Clerk (SOC 2 Type II certified)

✓All data is encrypted at rest in Supabase and in transit over TLS 1.2+

API key protection

When you add an API key in Settings, it is immediately encrypted with AES-256 (Fernet symmetric encryption) before being written to the database. The plaintext key is never logged, never written to disk, and never transmitted to any third party. At session runtime, the key is decrypted in memory for the duration of that single request and immediately discarded — it is never held in memory between requests.

No key harvesting — technically enforced

LLM Council acts as a secure orchestration proxy. When you run a council session, your encrypted key is decrypted in our backend process, forwarded directly to the LLM provider (OpenRouter, Portkey, Helicone, etc.) over HTTPS, and immediately discarded. Our server code does not write API keys to logs, does not cache them, and does not retain them outside the encrypted database column. You can verify this by reviewing our open approach: session routes are stateless with respect to your key.

Infrastructure

LLM Council runs on DigitalOcean infrastructure with Nginx as the reverse proxy — no API endpoint is exposed directly to the public internet. Authentication is handled by Clerk, a SOC 2 Type II certified identity provider. User data and session history are stored in Supabase (PostgreSQL), which provides encryption at rest. All traffic is served over HTTPS with TLS 1.2+.

Authentication

Account authentication is fully delegated to Clerk. We never store raw passwords. Clerk is SOC 2 Type II certified and supports MFA, session management, and anomaly detection. JWT tokens issued by Clerk are validated on every API request using Clerk's public JWKS endpoint — no token is trusted without cryptographic verification.

Session and prompt data

Your council questions, model responses, and session history are stored to enable history, exports, and follow-up questions. This data is stored in Supabase with row-level security policies so that one user's data is never accessible to another. You can permanently delete any council and all its sessions from the Dashboard at any time.

Data retention and deletion

Your data is retained for as long as your account remains active. You may delete individual councils and sessions at any time from the Dashboard. If you close your account, all associated data — including encrypted API keys, session history, and council configurations — is permanently deleted from our systems within 30 days of the account closure request.

What we never do

We do not sell your data. We do not use your prompts or model responses for training any AI model. We do not share your data with advertisers. We do not share your API keys with any party other than the LLM provider you have selected for that session.

Responsible disclosure

If you discover a security vulnerability in LLM Council, please report it responsibly to security@llmcouncil.online. We commit to acknowledging reports within 48 hours and resolving critical issues within 7 days. We do not pursue legal action against researchers who report issues in good faith.