Security & Compliance

Security is built into every layer of the platform, from how we store credentials to how we handle sensitive data in transit.

API Key Security

Measure	Detail
Storage	API keys are hashed with SHA-256 before storage. The raw key is shown once at creation and never stored.
Transmission	Keys are sent via the `X-API-Key` header over HTTPS only. Plaintext HTTP is rejected.
Rotation	Users can regenerate keys at any time from the dashboard. Old keys are immediately invalidated.
Caching	Validated keys are cached in Redis for 5 minutes to reduce database load. Cache is invalidated on key rotation.

Measure

Detail

Storage

API keys are hashed with SHA-256 before storage. The raw key is shown once at creation and never stored.

Transmission

Keys are sent via the X-API-Key header over HTTPS only. Plaintext HTTP is rejected.

Rotation

Users can regenerate keys at any time from the dashboard. Old keys are immediately invalidated.

Caching

Validated keys are cached in Redis for 5 minutes to reduce database load. Cache is invalidated on key rotation.

Transport Security

TLS 1.2 / 1.3 required — older protocols are disabled at the NGINX layer

HSTS headers — Strict-Transport-Security with 1-year max-age and includeSubDomains

Strong cipher suites — ECDHE key exchange, AES-GCM encryption, no RC4 or MD5

Security headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy on all responses

Privacy-Preserving Protocols

Service	Protocol	How It Protects Privacy
Password Breach	k-anonymity (HIBP)	Only a SHA-1 prefix is sent — the full password hash never leaves the client. The server returns all matches for that prefix and the client checks locally.
Log Redaction	PII masking	Detects and replaces emails, credit cards, IPs, and other sensitive patterns before they reach logs or storage.
IP Geolocation	Approximate location	Returns city-level accuracy (not street-level). IP addresses are not stored after lookup.

Service

Protocol

How It Protects Privacy

Password Breach

k-anonymity (HIBP)

Only a SHA-1 prefix is sent — the full password hash never leaves the client. The server returns all matches for that prefix and the client checks locally.

Log Redaction

PII masking

Detects and replaces emails, credit cards, IPs, and other sensitive patterns before they reach logs or storage.

IP Geolocation

Approximate location

Returns city-level accuracy (not street-level). IP addresses are not stored after lookup.

Data Handling

No request body logging: API request payloads are not stored or logged by the gateway

Per-service databases: Each service has its own isolated PostgreSQL database — no cross-service data access

Credentials at rest: All stored credentials (API keys, webhook secrets) use one-way hashing — raw values cannot be recovered

JWT tokens: Login tokens expire after 15 minutes and are signed with HMAC-SHA256

Standards We Follow

Standard	Relevance
NIST SP 800-63B	Digital Identity Guidelines — breached password screening requirement
GDPR Art. 5(1)(c)	Data minimization — log redaction, no unnecessary data retention
PCI DSS Req. 3.4	Credit card masking in log redaction service
OWASP API Security Top 10	Rate limiting (API4), authentication (API2), input validation (API8)
RFC 8446	TLS 1.3 protocol for all HTTPS connections

Standard

Relevance

NIST SP 800-63B

Digital Identity Guidelines — breached password screening requirement

GDPR Art. 5(1)(c)

Data minimization — log redaction, no unnecessary data retention

PCI DSS Req. 3.4

Credit card masking in log redaction service

OWASP API Security Top 10

Rate limiting (API4), authentication (API2), input validation (API8)

RFC 8446

TLS 1.3 protocol for all HTTPS connections

Note: Orovai does not currently hold SOC 2 or ISO 27001 certification. If your organization requires these for vendor approval, please contact us to discuss your requirements.