Security & Trust

Last updated: March 2026

CesaFlow is built with security as a core principle. This page explains how we handle your data, protect your credentials, and what controls are available to you.

Overview Data Flow BYOM Architecture Encryption Data Retention Access Control Infrastructure Compliance Roadmap

Security Overview

BYOM Architecture

Your API keys are encrypted at rest with AES-256. CesaFlow calls providers on your behalf — we never resell or mark up tokens.

No Code Retention

Generated code and AI model responses are not retained after your run completes. Workspaces are ephemeral unless you use named projects.

Encrypted Transit

All data in transit is encrypted via TLS 1.2+. Cloudflare provides edge security, DDoS protection, and WAF.

Data Flow Architecture

When you start a run, here is exactly how your data flows:

┌─────────────┐     HTTPS/TLS      ┌──────────────────┐
│  Your App   │ ──────────────────▶ │  CesaFlow API    │
│  (Browser,  │                    │  (api.cesaflow.ai)│
│   IDE, CLI) │                    └────────┬─────────┘
└─────────────┘                             │
                                            │  Your encrypted API key
                                            │  is decrypted in memory
                                            │  (never logged, never stored
                                            │   in plaintext)
                                            │
                              ┌──────────────┴──────────────┐
                              │                             │
                        ┌─────▼─────┐               ┌──────▼──────┐
                        │  AI       │               │  AI         │
                        │  Provider │               │  Provider   │
                        │  (OpenAI) │               │  (Anthropic)│
                        └───────────┘               └─────────────┘

Key points:
• CesaFlow backend proxies AI calls using YOUR key
• Your key is AES-256 encrypted at rest in PostgreSQL
• Keys are decrypted only in memory during request execution
• We do NOT store prompts or model responses after run completion
• Token usage (count only, not content) is logged for billing

BYOM (Bring Your Own Model) Architecture

How It Works

You provide your API key (e.g., OpenAI, Anthropic, Groq) via the dashboard or API.
CesaFlow encrypts your key with AES-256-GCM and stores the ciphertext in PostgreSQL.
When a run executes, the key is decrypted in memory only for the duration of the API call.
CesaFlow makes the AI provider call on your behalf from our backend servers.
The AI provider bills your account directly at their published rates — CesaFlow adds zero markup.
After the call completes, the decrypted key is discarded from memory.

What We Do NOT Do

We do NOT store your API key in plaintext — ever.
We do NOT log, cache, or retain AI model responses after run completion.
We do NOT share your key with any third party.
We do NOT mark up or resell AI tokens.

Encryption

Layer	Method	Details
Data in transit	TLS 1.2+	Cloudflare edge + origin SSL
API keys at rest	AES-256-GCM	Encrypted in PostgreSQL, decrypted only in memory
Passwords	bcrypt	Salted hash, never stored in plaintext
Session tokens	JWT + Redis	Short-lived tokens with server-side validation
Webhook signatures	HMAC-SHA256	GitHub webhook verification

Data Retention

Data Type	Retention	Notes
Generated code (workspace)	Run duration	Deleted after download/completion unless project_id is used
AI model responses	Not retained	Streamed to client, not stored server-side
Run metadata	Account lifetime	Objective, status, timestamps, token counts (not content)
Project workspaces	Until project deleted	Persistent workspaces for named projects
API keys (yours)	Until revoked	AES-256 encrypted at rest
Audit logs	90 days	Admin actions, auth events

Access Control

Organization Isolation

Each organization is fully isolated — runs, projects, keys, and team members are scoped to a single org. No cross-org data access.

Role-Based Access

Team members can be assigned Admin or Developer roles. Admins can manage billing, keys, and team settings. Developers can create and view runs.

API Key Authentication

All API calls require a valid API key (x-api-key header). Keys are scoped to a single organization.

Admin Panel

The admin panel (Nexus) uses separate session-based authentication with Redis-backed tokens (8-hour TTL).

Infrastructure

Edge security: Cloudflare provides DDoS protection, WAF, bot management, and SSL termination.
Application: FastAPI backend with async request handling, Docker containerization.
Database: PostgreSQL with encrypted connections. Redis for session management and caching.
Agent sandboxing: Run commands execute in isolated workspace directories. Optional unshare-based sandboxing available for enhanced isolation.
Self-hosted option: Enterprise customers can deploy CesaFlow on their own infrastructure for complete data sovereignty.
Security headers: X-Content-Type-Options, X-Frame-Options (DENY), X-XSS-Protection, strict Referrer-Policy.

Compliance Roadmap

CesaFlow is committed to meeting enterprise security standards. Here is our current status and roadmap:

Standard	Status	Timeline
AES-256 encryption at rest	Active	Implemented
TLS 1.2+ in transit	Active	Implemented
Role-based access control	Active	Implemented
Audit logging	Active	Implemented
Self-hosted deployment	Available	Enterprise plan
SSO (SAML/OIDC)	Planned	Q2 2026
SOC 2 Type II	Planned	Q3 2026
Penetration testing	Planned	Q2 2026
GDPR compliance	In progress	Q2 2026
Regional data residency	Roadmap	Q4 2026

Security Contact

To report a security vulnerability or request our security documentation for procurement, contact us at [email protected].