ESC
Security

Security at Toolkit API

We take a privacy-first, stateless approach to security. Here's how we protect your data at every layer.

🔒

Transport Security

All API traffic and website connections are encrypted with TLS 1.2+ (HTTPS). Plain HTTP requests are automatically redirected to HTTPS. We enforce HSTS headers to prevent downgrade attacks.

🔑

Authentication

Every API request requires a valid API key passed via the X-API-Key header. Keys are provisioned and managed through RapidAPI, which handles credential rotation, plan enforcement, and rate limiting.

We never store API keys in our application databases. Authentication is verified at the gateway layer before any request reaches our application code.

Stateless Processing

All 10 API toolkits are fully stateless. We do not persist, cache, or log the content of your requests or responses. Data is processed in-memory during the request lifecycle and discarded immediately after the response is sent.

  • No databases storing user-submitted data
  • No server-side file storage or upload retention
  • No session state between requests
  • No request payload logging
🏗️

Infrastructure Isolation

Each of the 10 API toolkits runs as an independent containerised service on Kubernetes. Services are isolated from each other with separate deployments, network policies, and resource limits.

A vulnerability or outage in one toolkit cannot affect others. This architecture also allows us to scale, update, and deploy each service independently.

🛡️

Privacy by Design

Our marketing sites set zero cookies and run no third-party tracking scripts (other than a minimal Google Analytics tag). We do not fingerprint users, sell data, or share usage information with third parties. See our Privacy Policy for full details.

🚦

Rate Limiting & Abuse Prevention

All API endpoints enforce per-key rate limits communicated via standard X-RateLimit-* headers. Excessive or abusive traffic is automatically throttled at the gateway layer to protect service availability for all users.

🔍

Dependency & Code Security

All services run on pinned, audited Python dependencies. Container images are built from minimal base images and rebuilt regularly to pick up security patches. Our CI/CD pipeline runs a full integration test suite (238 tests) on every deployment.

📧

Reporting a Vulnerability

If you discover a security issue, please report it responsibly to [email protected]. We'll acknowledge receipt within 24 hours and aim to resolve confirmed vulnerabilities promptly.