Security
How SeaLink protects your data, your keys, and your API traffic. A living commitment from engineering.
Data we don't store
Request bodies (prompts) and response bodies (completions) are never persisted. We log only metadata: model, token counts, latency, status code.
Transport encryption
All SeaLink endpoints are HTTPS-only with TLS 1.2 / 1.3. Old TLS versions return 426 Upgrade Required.
Key storage
API keys are hashed (SHA-256) before storage. Keys are 192-bit random values — not human-chosen passwords — so a single SHA-256 pass is cryptographically sufficient. We can never recover the plaintext; rotation issues a new key.
Upstream isolation
Customer credentials are scoped to SeaLink authentication and billing. Upstream calls use SeaLink-managed provider credentials.
Data residency
Default region: Singapore. Enterprise clients with sovereign requirements can define dedicated residency terms during onboarding.
Tenant isolation
Per-customer rows are scoped at the database level. Each API request resolves to a single tenant context; cross-tenant reads return zero rows.
Compliance posture
Singapore PDPA posture, GDPR terms for EU traffic, DPA support for business customers, and documented vulnerability intake.
Reporting a vulnerability
Email security@sealink.asia with details. We acknowledge within 48h, triage within a week, and credit confirmed reports in /trust if you'd like.
Need a DPA or compliance report?
Email legal@sealink.asia with your company and use case — 3 business day turnaround.