Here’s what we do and what we don’t.

What data we read

AICosts.ai reads billing and usage data from the AI providers you explicitly connect. We do not sit in your inference path, we do not read prompt or completion contents, and we do not receive end-user PII from your application.

• Account metadata: email, name, role.
• Provider API keys (encrypted at rest — see below for algorithm).
• Usage records: per-day, per-platform, per-model costs and counts, with per-item breakdowns for units the provider bills on (tokens, operations, characters, etc.).
• Billing files you upload for platforms without an API (parsed using OpenAI on a standard commercial API tier — no zero-retention agreement yet; on the roadmap).

Encryption

Provider API keys are encrypted server-side with AES-256-CBC using a single server-side key held in the application environment, and a per-record random IV. TLS 1.2+ is enforced on the public web and API. Databases use the at-rest encryption provided by MongoDB Atlas. Backups inherit the same. We do not currently use envelope encryption, KMS, per-tenant keys, or field-level DEKs — those are on the roadmap.

Authentication

Email + password (bcrypt hashing) with optional TOTP 2FA and backup codes. JWT sessions. We do not currently offer SAML, OIDC, or SCIM — those are on the roadmap.

Authorization

Today each account is a single user with their own API keys and usage data. We do not yet offer organizations, workspaces, role-based access control, or shared accounts. Those are on the roadmap; until they ship, we don't market them.

Logging

Application request logs are written via morgan and retained according to the hosting provider's defaults. A structured application-level audit log (actor / action / target / IP / timestamp) exists as an internal schema but is not yet wired into routes or exposed to customers. That wiring is on the roadmap.

Data residency

All customer data is processed and stored in a single US region (MongoDB Atlas US, AWS us-east-1). We do not currently offer EU-region residency, data export to customer-controlled storage, or deletion on a defined SLA beyond manual request. Those are on the roadmap.

Subprocessors

Today: AWS (hosting and S3), MongoDB Atlas (database), Vercel (landing page), Stripe (payments), SendGrid (email), OpenAI (parsing uploaded billing files for Professional tier), Mixpanel (web analytics), GitHub (source control), Product Hunt / Vercel Analytics (web tracking). No others are in active use. See SUBPROCESSORS.md in the repo for the current list.

Incident response

We aim to triage security issues within 24 hours of being reported and to notify affected customers within 72 hours of confirming a material incident. We do not currently publish a status page, and we do not have a formal bug bounty program. Report vulnerabilities to security@aicosts.ai.