Your Data, Protected at Every Layer
AskLee is built with security at its core — from encrypted secrets to isolated bot containers, verified by 114+ automated security tests across 16 categories.
Verified by Automated Testing
114+
Security tests
16
Test categories
8,000+
Vulnerability templates
24/7
CI/CD verification
Security Architecture
Every layer of AskLee is designed to protect your data.
Encryption at Rest
API keys and bot tokens are encrypted before storage — we can't read them even if the database is compromised.
Technical details
AES-256-GCM encryption with PBKDF2 key derivation. Unique initialization vector per operation. Encrypted fields are never logged or exposed in API responses.
Isolated Bot Containers
Each bot runs in its own isolated container. One bot can't access another's data or resources.
Technical details
Dedicated virtual machines with per-bot volumes and unique gateway tokens. No shared state between bot instances. Complete process isolation.
Input Validation
Every request is validated and sanitized to prevent injection attacks.
Technical details
Protection against XSS, SQL injection, path traversal, and null byte injection. Strict character set and length limits enforced on all inputs.
Timing-Safe Authentication
Authentication checks resist timing attacks — no information leaks from response times.
Technical details
Constant-time string comparison via timingSafeEqual() for all secret and token verification. Prevents attackers from inferring partial matches.
Rate Limiting & DoS Protection
Requests are rate-limited to prevent abuse. Oversized payloads are rejected before processing.
Technical details
5 requests per minute for mutations, 20 per minute for reads. 1MB maximum body size. Redis-backed rate limiting via Upstash.
Security Headers
Strict browser security policies prevent clickjacking, XSS, and content sniffing.
Technical details
Content-Security-Policy (no unsafe-eval), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, HSTS with 2-year max-age, strict CORS policy.
Automated Security Scanning
114 automated tests run across 16 categories before every deployment, plus monthly deep scans with 8,000+ vulnerability templates.
Technical details
Custom security probe covering gateway protection, directory disclosure, HTTP smuggling, SSRF prevention, cache poisoning, and more. Supplemented by Nuclei vulnerability scanner with full template coverage.
Transport Security
All traffic is encrypted in transit. Only modern TLS versions are accepted — no weak ciphers, no protocol downgrades.
Technical details
TLS 1.2 and 1.3 only. HTTPS enforced on all endpoints. HSTS with 2-year max-age prevents protocol downgrade attacks. Zero exposed internal services (no SSH, database, or debug ports).
Multi-Layer Authentication
Every message passes through three independent authentication checkpoints before reaching your bot.
Channel Verification
Webhook signatures from Telegram, Discord, WhatsApp, and Slack are cryptographically verified at the edge.
Relay Authorization
Our relay proxy authenticates with the API using HMAC-signed bearer tokens before resolving any bot.
Per-Bot Secret
Each bot instance has a unique cryptographic gateway token (~190 bits of entropy). Compromising one bot cannot affect others.
Privacy & Data Handling
Your data belongs to you. Period.
Minimal Data Collection
We only store what's needed to run your bot. No analytics tracking, no behavioral profiling, no selling data to third parties.
No AI Training on Your Data
Your conversations and bot content are never used to train AI models. Zero-retention agreements with all AI providers mean your data is deleted immediately after processing.
Delete Anytime
Full account deletion available from your dashboard. When you delete, we delete — no retention periods, no hidden backups.
Compliance & Trust
We hold ourselves to the highest industry standards.
GDPR Compliant
Privacy by design, data portability, right to deletion, and data processing agreements available for enterprise customers.
Zero-Retention AI Processing
All AI providers (OpenAI, Anthropic, Groq) operate under zero-retention agreements. Your messages are never stored by third parties beyond the immediate API call.
SOC 2 Type II In Progress
Independent audit validation of our security controls, data confidentiality, and privacy practices. Expected completion in 2026.
Found a Vulnerability?
We appreciate responsible disclosure. If you discover a security issue, please report it privately. Do not file public GitHub issues for security vulnerabilities.
Email us at security@asklee.ai
Please include a description of the issue, steps to reproduce, and potential impact.
We aim to acknowledge reports within 48 hours.
We value your contributions and will credit reporters in our security acknowledgments.