Stipend handles API credentials and spend data for your workforce. We treat that responsibility as a first-order architectural constraint, not a feature.
Audited annually. Controls cover access management, encryption, availability, and change management across all infrastructure.
All data encrypted at rest (AES-256) and in transit (TLS 1.3). API keys are encrypted with per-tenant keys before storage.
SAML/OIDC single sign-on and SCIM provisioning are planned. Today, Stipend supports authenticated admin access, scoped API keys, and manual access revocation from the admin console.
Data processing agreements available. Right-to-erasure supported. No prompt or response content is stored or logged by Stipend.
Stipend runs on isolated infrastructure with no shared tenancy at the compute layer. Our gateway processes requests in memory and does not persist prompt or completion content.
Every action in Stipend is scoped to authenticated, authorized principals. There is no anonymous access to any API surface.
Stipend processes API requests to enforce budget and policy controls. We do not store, log, or inspect the content of prompts or completions passing through the gateway.
For security questions, to report a vulnerability, or to request our SOC 2 report, contact security@stipend.dev.
Join the alpha for cost-by-workflow visibility. We're onboarding founders, CTOs, and engineering leads who need feature-level attribution first. Routing recommendations and release modeling are in active development.
We'll review your request and reach out if your team is a fit for the workflow cost alpha.