Security

Current pre-release summary · July 9, 2026

Draft for counsel review and operational validation. This page is a control summary, not a certification, audit opinion, warranty, or security SLA.

Current controls

  • TLS for browser, API, and provider connections in supported production deployments.
  • Envelope encryption for stored provider credentials, with decryption in service memory when needed.
  • HTTP-only, SameSite session cookies; Secure in production; password hashing and optional MFA.
  • Scoped application roles, rate limits, request validation, key revocation, and operational security logs.
  • Pre-call wallet reservations, per-key caps, and paid-plan client spend caps designed to reduce unbounded usage through WebikAI.
  • No prompt/response body storage by default; encrypted, opt-in idempotency replay for eligible non-streaming responses expires within 24 hours.

Important limits

No system is perfectly secure. API content must be transmitted to the selected AI provider or aggregator, whose controls and policies are outside WebikAI’s control. BYOK customers remain responsible for provider-side access settings, key rotation, and provider charges. WebikAI does not currently claim SOC 2, ISO 27001, HIPAA, PCI service-provider, FedRAMP, or other independent certification. Do not send regulated or highly sensitive data unless appropriate written terms and controls have been confirmed.

Customer responsibilities

Use unique credentials and MFA where available; limit key distribution; label and cap keys appropriately; select providers whose data terms fit the workload; revoke unused or exposed keys; monitor usage; validate AI output; and report suspicious activity promptly. Never send a provider secret, password, full prompt body, or unnecessary personal data in a support email.

Report a vulnerability

Email [email protected] with a concise description, reproduction steps, impact, and safe contact details. Do not access other customers’ data, disrupt service, exfiltrate secrets, use social engineering, or publish a vulnerability before coordinated resolution. WebikAI does not yet promise a bug bounty; good-faith reports will be triaged.