Security commitments
Security
How SeaLink protects your data, your keys, and your API traffic. A living commitment from engineering.
Data we don't store
Request bodies (prompts) and response bodies (completions) are never persisted. We log only metadata: model, token counts, latency, status code.
Transport encryption
All SeaLink endpoints are HTTPS-only with TLS 1.2 / 1.3. Old TLS versions return 426 Upgrade Required.
Integrity model
SeaLink does not provide end-to-end cryptographic integrity guarantees for model responses. Traffic is decrypted and re-encrypted at our gateway for security inspection, usage metering, and guardrail enforcement. Enterprise customers requiring end-to-end integrity should contact us for dedicated deployment options.
Key storage
API Keys are hashed (SHA-256) before storage. Keys are cryptographically random — not human-chosen passwords — and stored using industry-standard hashing. We can never recover the plaintext; rotation issues a new key.
Credential isolation
Customer credentials are scoped to SeaLink authentication and billing. Model provider calls use SeaLink-managed credentials — your keys never leave our systems.
Data residency
Default region: Singapore. Enterprise clients with sovereign requirements can define dedicated residency terms during onboarding.
Tenant isolation
Per-customer rows are scoped at the database level. Each API request resolves to a single tenant context; cross-tenant reads return zero rows.
Compliance posture
Singapore PDPA posture, GDPR terms for EU traffic, DPA support for business customers, and documented vulnerability intake.
Reporting a vulnerability
Email contact@sealink.io with details. We acknowledge within 48h, triage within a week, and credit confirmed reports in /trust if you'd like.
Need a DPA or compliance report?
Email contact@sealink.io with your company and use case — 3 business day turnaround.