00

Quick Summary

For legal details, see our Privacy Policy and Terms of Service.

API keys are encrypted with AES-256-GCM before storage
Keys are only decrypted momentarily during API requests
API keys are never logged or stored in plaintext
Included scans use our service key—your API key is only used for BYOK Overflow
01

Data Protection

Your data is stored securely in your AccessHawk account using industry-standard encryption and security practices.

Security Measures

1
AES-256-GCM encryption — Your API key is encrypted using AES-256-GCM, a military-grade encryption standard used by governments and financial institutions worldwide.
2
Encrypted at rest — Your API key is never stored in plaintext. Even in the unlikely event of a database breach, encrypted keys cannot be used without the encryption key.
3
Minimal decryption window — Your API key is only decrypted momentarily when making an API request on your behalf, then immediately discarded from memory.
4
No plaintext logging — API keys are explicitly excluded from all server logs, error reports, and monitoring systems.

Included scans are even simpler

Your monthly included scans always use our service API key—your personal API key is never touched for these scans. BYOK Overflow is completely optional: only if you've used all your included scans and want to continue scanning will the system use your stored API key.

02

Best Practices

Here's how you can maximize your security when using BYOK Overflow:

Use a dedicated API key

Create a separate API key on OpenRouter just for AccessHawk. If it's ever compromised, you can revoke it without affecting other services.

Set spending limits

OpenRouter allows you to set spending limits on API keys. Configure a reasonable limit to prevent unexpected charges even if your key is compromised.

Monitor your usage

Regularly check your OpenRouter activity page to ensure there's no unexpected usage.

Use a strong password

Your AccessHawk account protects your stored API key. Use a strong, unique password and don't share your account credentials.

Stay within included scans when possible

Your monthly included scans use our service key—no API key of yours is involved. This is the simplest and most secure option.

Rotate your key periodically

Every few months, consider generating a new API key on OpenRouter and updating it in your Account Settings. This limits the window of exposure if a key was ever compromised.

03

Frequently Asked Questions

Can you see my API key?

No. Your API key is encrypted with AES-256-GCM before storage. Even we cannot view your plaintext key—it only exists in decrypted form momentarily during API requests, and is never logged.

What is AES-256-GCM encryption?

AES-256-GCM is a military-grade encryption standard. The "256" refers to the key size (256 bits), making brute-force attacks computationally infeasible. "GCM" (Galois/Counter Mode) provides both encryption and authentication, ensuring data integrity and detecting any tampering.

What if there's a data breach?

Even if our database were compromised, your API key would remain protected. The encrypted key is useless without the encryption key, which is stored separately. However, as an extra precaution, we recommend setting spending limits on your OpenRouter API key.

What data do you store?

We store your account information, projects, scan results, and if configured, your encrypted API key. We use Google Analytics for basic usage statistics. For complete details, see our Privacy Policy.

How do I remove my API key?

Go to Account Settings and click "Remove" next to your API key configuration. This immediately deletes your encrypted key from our system. You can also delete your entire account from Account Settings.