Trust
Security
This page documents InferAll's current security posture in plain language. Where we have not yet verified behavior end-to-end or completed a third-party audit, we say so explicitly. InferAll does not currently hold FedRAMP, SOC 2, HIPAA, or FISMA certifications — those require real audits, and we will only publish them when they exist.
Encryption in transit
All traffic to api.inferall.ai and inferall.ai is served over TLS. HTTP is not accepted. Connections to upstream model providers (OpenAI, Anthropic, Google, NVIDIA, Replicate, Runway) are likewise made over TLS using each provider's standard HTTPS endpoint.
Key and credential storage
User authentication is handled by Supabase Auth. Session tokens (JWTs) are stored client-side per Supabase's standard browser-client behavior; InferAll does not maintain its own session store.
Billing is handled by Stripe. Card data never touches InferAll's servers — checkout sessions are hosted by Stripe and only opaque customer/subscription identifiers are persisted on our side.
InferAll API keys (prefix ifa_ / kr_proj_) are generated server-side and shown to the user once at creation time. We store hashed key material for verification on each request.
What InferAll logs
The gateway logs request metadata required to operate the service: timestamp, requesting key id (hashed), chosen upstream provider and model, token counts, latency, status code, and request id. These records are what power usage analytics and billing reconciliation.
InferAll's product intent is that prompt and response bodies are not persisted after the request completes. We are in the process of formally documenting that behavior against the gateway code (kindlyrobotics/infra) and will update this section once verified end-to-end. If prompt/response retention matters for your use case, please contact us before deploying production traffic.
The VS Code extension separately scaffolds an inferall.auditLog.enabled setting that, when implemented, will write request metadata (never bodies) to a local rotating file for compliance workflows. See the VS Code extension page.
Data residency
The gateway runs on Fly.io with primary deployment in US regions. Upstream provider calls go to each provider's published regional endpoint. EU-only and on-prem deployment options are on the roadmap for organizations with hard data residency requirements; please contact us if this applies.
Retention policy
Retention windows for request metadata, billing records, and support correspondence will be enumerated here once finalized. Billing records are retained for as long as required by applicable tax law. Request metadata retention is currently scoped to what the analytics and billing pipeline needs to reconcile usage; we are working to publish exact windows.
Compliance certifications
InferAll does not currently claim FedRAMP, SOC 2, HIPAA, FISMA, ISO 27001, or any other formal certification. Real certifications require real audits — we will publish each certification only when it has been issued. If your procurement process requires a specific certification, please tell us; that demand directly informs which audit we pursue first.
Reporting a vulnerability
If you believe you've found a security vulnerability, please contact us via the security channel that will be published here. Until that mailbox is live, please reach the team through the GitHub repo at kindlyrobotics/infra and we will move the conversation to a private channel immediately.