Current protections
- API keys are hashed before storage and full keys are shown only once.
- Project OpenAI keys are stored encrypted and displayed only as a safe hint after save.
- Key prefixes are used for lookup and safe display.
- Revoked keys are rejected.
- Payload size limits and strict request validation are enforced.
- Normal logs avoid raw request payload logging.
- Rate limiting is enforced per API key.
- Monthly request limits are tracked per project for hosted plans.
- Request payloads are stored only where required to process queued work.
Infrastructure overview
The v1 deployment shape is a FastAPI API process, worker process, dashboard, reverse proxy, and SQLite database on a managed VM or equivalent host.
Production deployments should use HTTPS, firewall rules, host-level secret management, log rotation, database backups, and restricted filesystem access to environment secrets and SQLite files.
Compliance status
ReqRun does not claim SOC 2, ISO 27001, HIPAA, or other formal certifications at launch. Those should be added only when real.