Every VAR node is isolated. Every API key is hashed, never stored. Payload content is processed in memory and not persisted. Here's exactly how we protect your infrastructure — and your clients' data.
Each provisioned node operates in its own isolated data context. Usage events, billing aggregates, and API key data for one VAR are never accessible to another — not through the API, not through the dashboard, not even to us in normal operations. Complete data segregation is enforced at the database query level.
Your Master API Key is shown exactly once at provisioning. We immediately SHA-256 hash it before writing anything to the database — the plaintext key is never persisted. Authentication validates the incoming key hash against the stored hash. Even a full database dump cannot reveal your key.
Message text, contact data, and other payload content you transmit through /ingest and /process is processed in memory only — it is never written to our database. We log metadata only: endpoint, timestamp, byte count, token count, and status. Your clients' data does not live in our storage.
All sensitive configuration data — credentials, tokens, and internal keys used to operate the infrastructure — is encrypted with AES-256-GCM before being written to disk. All data is transmitted over HTTPS/TLS 1.2+. Your data is unreadable without the encryption key even if someone accessed the server directly.
Data transmitted through the /process endpoint is forwarded to our processing pipeline provider under a data processing agreement that prohibits use of submitted data for model training. If you use passthrough: true, data is not forwarded at all — the request is logged and stored only.
All API endpoints are rate-limited to prevent abuse and brute-force attacks against your node. Invalid key attempts are tracked. Nodes exhibiting anomalous usage patterns are flagged for review. Your key cannot be guessed — it is a 48-character hex string generated from a cryptographically secure random source.
Hosted on Render (SOC 2 Type II certified). Database on PostgreSQL with encrypted connections. All secrets managed via environment variables — never hardcoded. Infrastructure access restricted to authorized RGX Systems personnel only.
RGX runs on Render's SOC 2 Type II certified infrastructure — independently audited for Security, Confidentiality, and Availability. Audit period: October 2024 – September 2025.
Our infrastructure provider maintains a GDPR Data Processing Agreement (DPA). VAR operator data is handled in accordance with GDPR requirements. See our DPA for full details.
Email us at security@rgxsystems.com — we respond to every inquiry.
Get Started Free → Read our Data Processing Agreement →