For legal details, see our Privacy Policy and Terms of Service.
SECURITY GUIDE
Data Protection / API Key Security / Best Practices
Quick Summary
Data Protection
Your data is stored securely in your AccessHawk account using industry-standard encryption and security practices.
Security Measures
Included scans are even simpler
Your monthly included scans always use our service API key—your personal API key is never touched for these scans. BYOK Overflow is completely optional: only if you've used all your included scans and want to continue scanning will the system use your stored API key.
Best Practices
Here's how you can maximize your security when using BYOK Overflow:
Create a separate API key on OpenRouter just for AccessHawk. If it's ever compromised, you can revoke it without affecting other services.
OpenRouter allows you to set spending limits on API keys. Configure a reasonable limit to prevent unexpected charges even if your key is compromised.
Regularly check your OpenRouter activity page to ensure there's no unexpected usage.
Your AccessHawk account protects your stored API key. Use a strong, unique password and don't share your account credentials.
Your monthly included scans use our service key—no API key of yours is involved. This is the simplest and most secure option.
Every few months, consider generating a new API key on OpenRouter and updating it in your Account Settings. This limits the window of exposure if a key was ever compromised.
Frequently Asked Questions
Can you see my API key?
No. Your API key is encrypted with AES-256-GCM before storage. Even we cannot view your plaintext key—it only exists in decrypted form momentarily during API requests, and is never logged.
What is AES-256-GCM encryption?
AES-256-GCM is a military-grade encryption standard. The "256" refers to the key size (256 bits), making brute-force attacks computationally infeasible. "GCM" (Galois/Counter Mode) provides both encryption and authentication, ensuring data integrity and detecting any tampering.
What if there's a data breach?
Even if our database were compromised, your API key would remain protected. The encrypted key is useless without the encryption key, which is stored separately. However, as an extra precaution, we recommend setting spending limits on your OpenRouter API key.
What data do you store?
We store your account information, projects, scan results, and if configured, your encrypted API key. We use Google Analytics for basic usage statistics. For complete details, see our Privacy Policy.
How do I remove my API key?
Go to Account Settings and click "Remove" next to your API key configuration. This immediately deletes your encrypted key from our system. You can also delete your entire account from Account Settings.