Run a free scan
Security & trust

We sit inline on your traffic. Here’s exactly how we keep that safe.

Trust is earned, not asserted. Built for the spend owner: scoped keys, an audit log, fail-open. This page is specific on purpose — what’s live today, and what’s on the roadmap, each labeled. SOC 2 and self-host are planned, not shipped. Data residency: US (us-east-1).

Read our DPABook a security call
Reliability is a security property

Fail-open to your baseline.

The gateway is fail-open: before the first token, if Recovea is unreachable or errors, the request falls back cleanly to your provider on your own keys; mid-stream, you get a clean error to retry. One-config rollback is always available. Reliability is a feature, not a footnote.

# if a transform fails before the first token
→ serve on the baseline model
→ no change · clean fallback
# if it fails mid-stream
clean error so you can retry
The controls

Specific, in order of your control.

Self-host in your VPC Planned

On the enterprise roadmap: run the gateway in your own infrastructure. Today we run the managed service. Either way your provider keys pass through on your own accounts — we never resell tokens.

No prompt bodies by default

We measure tokens and cost without retaining content. Metadata-only scan option; one body-free structured event per request.

Salted per-tenant cache Planned

Ships with the cache lever, designed in from day one: a byte-identical prompt from another tenant will miss your cache by construction. Most gateways share cache; we won’t.

Scoped, audited access

Tenant-scoped, least-privilege access. Key mint, rotate, and revoke are audit-logged; ledger history is hash-chained and append-only.

No training on your data

Stated and enforced. Provider keys are encrypted at rest (AES-256-GCM); the encryption key is held in our secrets store today, with KMS envelope encryption and bring-your-own-CMK planned. You can rotate or revoke anytime, and plaintext keys are shown exactly once at mint.

SOC 2 on the roadmap

Not certified yet, and we say so: we build to SOC 2-aligned controls and state our status honestly — no false claims. DPA available; subprocessors listed.
For the spend owner — and a second lane for finance

An auditable, basis-labeled cost ledger you can defend.

Live today: scoped keys, an append-only audit log, and a hash-chained cost ledger that attributes every dollar by key, team, and lever. Verified savings — net of quality, on the IPMVP spine — are off · proof pending until the eval gate ships. Need to show your board? Finance gets the same ledger as a second lane.

  • Scoped, audited: key mint/rotate/revoke is audit-logged; ledger history is hash-chained and append-only.
  • Every figure drills to the request that produced it. No vanity numbers.
  • IPMVP-grade when verified savings turn on — the same performance-contracting method used to verify energy savings; off · proof pending today.
Book a call

When we’re not a fit

If an inline proxy is a hard no in your org, we’ll tell you we’re not a fit rather than fight it. Start with a metadata-only scan, or book a security call to talk through the deployment roadmap (self-host is planned, not shipping today).

Run a metadata-only scanRead the docs

Put your AI spend under control you can audit and defend.

See and govern your spendBook a security call