Security

Built to be trusted.

routeur.ai routes AI prompts on behalf of your application — that means your data, your users, and your business logic flow through our gateway. We take that responsibility seriously. This page describes exactly how we protect it.

Last reviewed: May 2026 security@routeur.ai

Infrastructure security

routeur.ai runs entirely on the Google Cloud Platform (GCP), across multiple regions around the world. All compute is containerised on Cloud Run — ephemeral, stateless, and auto-scaling. There are no long-lived virtual machines to patch or misconfigure.

Cloud Run

Containerised compute with no persistent state. Each request starts in a clean environment. Containers are rebuilt from verified images on every deploy.

Secret Manager

All credentials — upstream LLM API keys, database passwords, signing keys — are stored in GCP Secret Manager. They are never written to source code, container images, or build logs.

Private networking

Service-to-service communication uses GCP's internal networking over Private Service Connect. Traffic between the gateway and the management panel never traverses the public internet.

Least privilege

Every Cloud Run service runs as a dedicated service account with only the IAM roles it requires. No service account holds roles/owner or roles/editor. Permissions are reviewed on each infrastructure change.

Container scanning

Container images are stored in Google Artifact Registry and scanned for known vulnerabilities at build time. Base images are pinned to specific minor versions — never :latest.

EU data residency

All routeur.ai infrastructure and stored data resides in GCP europe-west1 (Belgium). No data is processed outside the EU by default. Enterprise plans can request specific region constraints.

Data in transit

All connections to routeur.ai are encrypted. We enforce modern TLS standards and do not support outdated protocol versions.

  • TLS 1.2 minimum, TLS 1.3 preferred on all public-facing endpoints. Older versions are rejected.
  • HSTS enforced with a minimum one-year max-age. HTTPS is not optional — all plain HTTP is redirected.
  • Internal traffic between Cloud Run services uses GCP's managed TLS over private networking — never the public internet.
  • Upstream provider calls are made over TLS to provider endpoints. We do not support HTTP fallback for any LLM provider connection.

Data at rest

Storage is encrypted at multiple layers. Sensitive values receive additional application-layer encryption on top of storage-level protection.

  • Cloud SQL (MySQL) is encrypted at rest using Google-managed encryption keys. Customer-Managed Encryption Keys (CMEK) are available on Enterprise plans.
  • LLM provider API keys are encrypted with AES-256 at the application layer before being written to the database — in addition to storage-level encryption. They are never retrievable in plaintext after initial creation.
  • Secret Manager encrypts all secrets at rest using Google's key management infrastructure. Access is logged and version-controlled.
  • Automated backups of Cloud SQL are encrypted and retained for 7 days by default. Enterprise plans can configure extended retention.

What we store — and what we don't

Our data minimisation policy is simple: we log what is necessary to provide observability, and nothing more.

We do store

  • Request timestamp
  • Provider and model selected
  • Tokens in / tokens out (counts)
  • Latency and cost estimate
  • Routing decision (auto / pinned)
  • DLP / shield verdict (pass / blocked)
  • HTTP status code

We do not store

  • The content of prompts
  • The content of LLM responses
  • User-level PII from your application
  • System prompts or agent instructions
We never use your request data to train AI models, and we never sell it to third parties.

Prompt and response payloads are forwarded through the gateway in memory and discarded immediately. They are never written to disk, logged, or retained.

Application security

Security controls are applied to every request, in both directions, before any LLM provider sees the data.

Prompt Shields

Pattern-based and semantic detection identifies prompt injection attempts, jailbreaks, and policy violations before the request is forwarded. Blocked requests are logged with the violation type and never sent to a provider.

Data Loss Prevention

DLP scanning detects PII — names, email addresses, phone numbers, credit card numbers, national identifiers — and masks it before the prompt leaves your network. Configurable per routing rule; masking patterns are auditable.

Output Moderation

Response content is filtered against configurable policies before being returned to your application. Harmful, toxic, or off-brand content can be blocked, flagged, or replaced — without modifying your application code.

Anomaly Detection

Statistical baselines are built from your request history. Deviations — cost spikes, unusually long prompts, burst traffic from a single API key — trigger configurable alerts to your team.

API key scoping

routeur.ai API keys can be scoped to specific routes, provider subsets, and rate limits. Compromised keys can be rotated instantly from the dashboard without touching your codebase.

Injection-safe code

The management panel uses parameterised queries and Laravel's Eloquent ORM throughout. CSRF protection is enforced on all web routes. User input is never echoed unescaped in templates.

Access controls

Access to your account and its data is controlled at multiple levels.

  • Authentication required for all management functions. There are no unauthenticated admin endpoints. Login is protected by rate-limiting (throttle:6,1) to prevent brute force.
  • Multi-factor authentication is available and strongly recommended for all accounts. Enterprise plans can enforce MFA organisation-wide.
  • Role-based access control: Admin, Member, and Viewer roles with clearly documented permission sets. Policies are enforced server-side — not just in the UI.
  • Audit logs record all administrative actions — rule changes, credential additions, seat invitations, key rotations. Retained 90 days on Growth plans, 2 years on Enterprise.
  • LLM provider credentials are displayed only at creation time. After saving, they are stored as encrypted ciphertext. No routeur.ai employee can retrieve the plaintext of a customer's API key.
  • Production access for routeur.ai employees requires MFA and is logged. Access is granted on a need-to-know basis and reviewed quarterly.

Vendor risk management

routeur.ai connects your application to upstream LLM providers on your behalf. This means your data flows through those providers' systems subject to their own data processing terms.

Before enabling a provider, we recommend reviewing their Data Processing Agreement (DPA). Most providers (OpenAI, Google, Anthropic, Mistral) offer a zero-retention API mode or enterprise DPAs on request. Our DLP feature can mask PII in prompts before they reach any provider.
  • We review each provider's security posture and data handling policies before adding them to the platform.
  • routeur.ai, operated by Oliver Tappin Ltd, acts as a data processor under GDPR for customer prompt traffic. Our Data Processing Agreement is available on request at legal@routeur.ai.
  • Customers retain full control over which providers are enabled in their account. Providers can be disabled instantly from the dashboard.
  • We do not share customer data between accounts, and we do not use customer request data to train or fine-tune any AI model — ours or any third party's.

Incident response

We maintain a documented incident response process and test it regularly.

  • Severity-1 incidents (data breach, extended outage, security compromise) are escalated immediately. Customer notifications and status updates are posted within one hour of confirmation.
  • Data breach notification: in the event of a breach affecting customer data, we will notify affected customers within 24 hours of confirmation — ahead of any regulatory requirement.
  • Disaster recovery: Cloud SQL automated backups, multi-region failover capability, and documented recovery runbooks. RTO target: 4 hours. RPO target: 1 hour.
  • Post-mortems are written for all Severity-1 and Severity-2 incidents, identifying root cause and remediation steps. Enterprise customers receive a copy on request.

Responsible disclosure

We appreciate the work of security researchers. If you discover a vulnerability in routeur.ai, please follow responsible disclosure practices.

1
Email us

Send details to security@routeur.ai. Include a clear description, steps to reproduce, and potential impact. PGP key available on request.

2
We acknowledge within 48 hours

We'll confirm receipt and provide an initial assessment. We may reach out for clarification.

3
90-day remediation window

We ask that you allow 90 days from your initial report before public disclosure, to give us time to remediate and notify affected users if necessary.

4
Good faith

We will not pursue legal action against researchers acting in good faith under this policy. We do not operate a bug bounty programme at this time, but we will acknowledge your contribution.

Questions about our security practices?

Email security@routeur.ai for security concerns, or legal@routeur.ai for GDPR / DPA requests. Privacy requests are handled by Oliver Tappin, named DPO for routeur.ai.