autrace
Security Posture

Honest security posture. No marketing fluff.

We cover 5 of 10 OWASP LLM Top 10 risks at the gateway layer. We tell you exactly which ones - and why the others are out of scope.

5/10
OWASP LLM covered
TLS 1.2+
all transport
bcrypt(12)
password hashing
SOC 2
in progress (Vanta)
OWASP LLM Top 10

5/10 covered at the gateway layer.

Some OWASP LLM risks are training-time or agent-design concerns - a request proxy cannot address them. We cover what a gateway can cover, and say so plainly for the rest.

LLM01
Covered
Prompt Injection

Pattern-based + heuristic detection. Block in-path before model sees prompt.

LLM02
Covered
Insecure Output Handling

Response filter strips dangerous patterns before returning to caller.

LLM03
Out of Scope
Training Data Poisoning

Out of scope - training-time concern, not addressable by inference proxy.

LLM04
Covered
Model Denial of Service

Per-key token + request rate limiting enforced in-path.

LLM05
Out of Scope
Supply Chain Vulnerabilities

Out of scope - model supply chain, not request routing.

LLM06
Covered
Sensitive Info Disclosure

PII filter redacts sensitive data before it reaches the model.

LLM07
Out of Scope
Insecure Plugin Design

Application-architecture concern; not addressable at gateway layer.

LLM08
Out of Scope
Excessive Agency

Agent-design concern; partially addressable with custom policy rules.

LLM09
Out of Scope
Overreliance

UX/process concern; outside scope of a request gateway.

LLM10
Covered
Model Theft

API key isolation and rate limiting reduce bulk extraction risk.

Zero-Trust Architecture

Never trust. Always verify.

Every request - regardless of origin or prior history - is authenticated and evaluated against the full policy stack before forwarding. No IP allowlisting, no session-level trust.

Shadow AI Compliance Alert (2026 Data)

With up to 70% of developers admitting to pasting proprietary code and PII into external systems, and the average Shadow AI data breach costing $670,000 in regulatory fines, unmonitored AI access is an unacceptable risk. Deploying Autrace as your Shadow AI governance proxy enforces an active OWASP LLM01 gateway proxy and a real-time PII redaction LLM gateway 2026 check on every request before it leaves your VPC.

1. Receive request
API key present?Key not revoked?Org active?
2. Policy evaluation
PII scanInjection detectionRate limitContent rules
3. Forward to model
Strip internal headersProvider authTimeout: 120s
4. Log response
Response filterHash-chain appendCost estimate
Data Handling

What we store. What we don't.

We store
Request metadata (timestamp, model, latency)
Token counts and estimated cost
Policy decision (ALLOW / BLOCK)
PII redaction summary (types, not values)
User/org identifiers
Hash-chained audit record
Not stored by default
Full prompt content
Full response content
Redacted PII values
Raw API keys (hashed only)
Model output verbatim
Optional (opt-in)
Full prompt/response (enterprise, off by default)
Extended retention (up to 7 years)
SIEM streaming webhook
S3 export
Compliance Roadmap

Where we stand today.

GDPR
Compliant by design
Now
CCPA
Compliant by design
Now
SOC 2 Type I
Scoping (Vanta)
Q2 2026
SOC 2 Type II
In progress
Q3 2026
HIPAA
BAA-eligible scope
Q4 2026
ISO 27001
Under consideration
2027
PCI DSS
Not required
Stripe handles
Vulnerability Disclosure

Responsible disclosure. Safe harbour.

Found a security issue? Email security@autraceai.com. We acknowledge within 24 hours. Patch SLAs by CVSS severity:

Critical7 days to patch
High30 days to patch
Medium90 days to patch
LowMonthly digest
Safe Harbour

Good-faith security research - with no intent to disrupt service or access customer data - will not result in legal action. We will credit you in the advisory unless you prefer otherwise.

Report a vulnerability →
autrace

The best day to start
was yesterday.
The next best moment
is now.

Ship AI without the liability. Production-ready in under 10 minutes.

Contact Us