Data protection on every request
Before a prompt reaches a model provider, SRAN scans it for sensitive data. 30 built-in detectors cover the categories that actually show up in AI workflows.
What we detect by default
- Credentials — API keys (OpenAI, AWS, Stripe, GitHub, Slack, and more), JWT tokens, private SSH keys, database connection strings
- Personal data — email addresses, phone numbers, full names when paired with other identifiers, dates of birth, national IDs
- Financial data — credit card numbers, bank account numbers, IBAN, SWIFT codes
- Health data — medical record numbers, insurance IDs, diagnosis codes (HIPAA-adjacent contexts)
- Infrastructure — internal IP ranges, private hostnames, cloud resource ARNs
When a match is found, you choose the policy: block the request, redact the match, warn and log, or allow with an audit entry.
Compliance
- SOC 2 Type II — audited annually. Report available under NDA.
- GDPR — DPA available. EU data can be pinned to EU regions.
- ISO 27001 — certified.
- HIPAA — BAA available on Enterprise. Healthcare workloads supported.
How we handle your data
In transit
TLS 1.3 for every external connection. Mutual TLS available for Enterprise customers.
At rest
AES-256 for logs and metadata. Customer-managed keys (CMK) available on Enterprise.
Retention
Request bodies are never persisted by default — only metadata (tokens, latency, model, timestamp). Optional body logging is opt-in per API key, and bodies are encrypted with a tenant-specific key.
Access
Production data access is limited to on-call engineers under break-glass procedures. Every access is logged and reviewed.
Reporting a vulnerability
Send details to security@sran.ai. We acknowledge within 24 hours and publish fixes on a coordinated disclosure schedule. We run a private bug bounty — email us for scope and rewards.
Want the details?
Request our security whitepaper, SOC 2 Type II report, or pen test summary at security@sran.ai.