Trust & Security

ModelCost is designed for teams that ship AI to production and need to prove their data handling meets enterprise security requirements. This page describes the architecture, controls, and practices we use to protect your data.

1. Security Architecture

ModelCost uses an SDK-first architecture. Our lightweight SDK wraps your existing AI provider calls (OpenAI, Anthropic, Google) directly in your application process. There is no proxy server, no man-in-the-middle, and no infrastructure changes required. Your API calls go directly to your AI provider. The SDK captures only cost and usage metadata and transmits it asynchronously to ModelCost servers.

• No proxy or gateway between your application and AI providers
• Sub-millisecond latency overhead on API calls
• Fail-open design: if ModelCost is unreachable, your API calls proceed normally
• Asynchronous metadata reporting with batched transmission

2. Data Handling

ModelCost collects API usage metadata only: model identifiers, token counts, latency measurements, feature tags, and cost calculations. We do not collect, store, or have access to the content of your AI prompts or completions.

When governance features are enabled, PII and sensitive data scanning runs entirely within your application process using the SDK's embedded detection engine. Only anonymized metadata signals (violation type, severity, and action taken) are transmitted to ModelCost. Raw prompt and completion text never leaves your environment.

By default, ModelCost stores zero prompt content. Organizations on the Scale plan can optionally enable ephemeral snippet storage for forensic review, with configurable auto-expiry ranging from 1 to 90 days. Expired snippets are permanently purged by an automated daily job.

3. Four Layers of Privacy Hardening

Our governance feature is built with four layers of privacy protection, each independently configurable:

• Layer 1: Metadata-Only Default. No prompt snippets are stored unless explicitly enabled by an organization administrator. Violation records contain only type, severity, timestamp, and action taken.
• Layer 2: Role-Based Access. Violation details are gated behind explicit read permissions. Team members without the governance_violations read permission cannot view individual violation records. Administrators and editors with edit permissions automatically receive read access.
• Layer 3: User Anonymization. When enabled, user identities in violation records are replaced with deterministic pseudonyms (e.g., "User 4821") derived from a random per-organization salt. The same user always produces the same pseudonym within an organization, but the pseudonym cannot be reversed without administrator access.
• Layer 4: Ephemeral Snippets. When snippet storage is enabled for forensic review, snippets are automatically purged after a configurable retention period. Every snippet access is logged in the governance audit trail, including who accessed it and when.

4. Encryption

• In transit: All data is encrypted using TLS 1.2 or higher
• At rest: All data is encrypted using AES-256
• API tokens: Stored as cryptographic hashes (SHA-256) and cannot be retrieved after creation. Only the key prefix is stored for identification.
• Passwords: Managed by AWS Cognito with PBKDF2-based hashing

5. Access Controls

ModelCost implements role-based access control (RBAC) across the platform:

• Roles: Admin, Editor, and Viewer roles with granular feature-level permissions
• Governance RBAC: Separate read and edit permissions for governance features and violation data
• Deanonymization: Reversing user anonymization requires administrator role and creates an immutable audit log entry
• Audit trail: All sensitive governance actions (snippet access, identity reveals, settings changes) are logged with actor, timestamp, and target

6. Infrastructure

• Hosted on AWS with multi-AZ deployment
• PostgreSQL database with automated backups
• Rate limiting per organization (100 to 2,000 requests/second depending on plan)
• Global IP-based rate limiting for DDoS mitigation

7. Compliance Readiness

ModelCost is designed with compliance requirements in mind:

• GDPR: Data minimization by default (metadata only), configurable retention periods, data subject access and deletion rights
• HIPAA: PHI detection and blocking, audit trail for all data access, configurable data handling policies
• SOC 2: Access controls, audit logging, and encryption align with SOC 2 Type II trust service criteria

Enterprise customers requiring VPC deployment, dedicated infrastructure, or BAA agreements should contact our sales team.

8. Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to support@modelcost.ai. We take all reports seriously and will respond within 48 hours.

9. Contact

For security questions or to request our security documentation, contact us at support@modelcost.ai.