Security & trust

Built for the team that has to answer for it.

srooter is the control plane your org's AI runs through — so its own security posture is the product. Here's exactly how we handle your code, your keys, and your data, and where we are on formal certification. No hand-waving.

Last updated · June 2026 · a living document
Data handling

What we store. What we never store.

Every request through the gateway is recorded for audit — but the record is metadata and a hash, never your content. This holds in cloud and self-hosted modes alike.

We store

REQUEST METADATA · FOR AUDIT, BILLING & ROUTING
  • The request envelope — timestamp, user/key id, requested vs. served model.
  • The routing decision — trivial, council, learned, or fallback.
  • Token counts, cost, latency, and status for every call.
  • A SHA-256 hash of the prompt — enough to verify and de-duplicate, never to read.

We never store

YOUR CONTENT NEVER SITS IN THE CLEAR
  • Prompt or completion content — only its hash is kept.
  • Your source files — the Cortex graph holds symbols and dependencies, not file contents.
  • Provider keys in plaintext — credentials are encrypted at rest.
  • Anything, in self-hosted mode — request data never leaves your infrastructure.
Security by architecture

The strongest controls aren't bolted on — they're how it's built.

Content never stored

Prompts are SHA-256 hashed. Full audit trail, zero sensitive content held in the clear.

Self-host in your VPC

Run the entire gateway inside your own infrastructure, up to fully air-gapped. Your keys, your data, your perimeter.

Your keys & subscriptions

Bring your own API keys, OAuth subscription tokens, or local models. srooter never resells inference and never sits in your billing path.

Encrypted in transit & at rest

TLS in transit, AES-256 at rest. Credentials and stored metadata are encrypted everywhere they live.

Exportable audit trail

Every routing and policy decision is logged and exportable for review, billing, or your auditor.

Role-based access & policy

RBAC across the org, model allowlists, reasoning caps, and hard budget ceilings — enforced at the gateway.

Supply-chain integrity

You run our code inside your perimeter. We treat that as a responsibility.

Self-hosting answers data residency — but it makes build integrity the question that matters. Here's how we keep what you deploy trustworthy.

Signed releases

Every release is cryptographically signed so you can verify exactly what you're running.

SBOM with every build

A full software bill of materials ships with each release for your own supply-chain review.

Pinned, scanned dependencies

Dependencies are pinned and continuously scanned for known vulnerabilities and tampering.

Certifications & compliance

Where we are — stated plainly.

SOC 2 Type IIIndependent attestation of our security controls over time.
In progress
ISO 27001Information security management system — prioritized for EU & Gulf buyers.
On roadmap
GDPREU-based, content never stored, full data residency under self-host.
Aligned by design
HIPAASelf-hosted deployment keeps PHI inside your environment; BAA on request.
On request

The honest version: we're early, and formal certifications are underway rather than finished. We won't display a badge we haven't earned. But because srooter self-hosts and never stores your content, security-conscious teams don't have to wait for our paper trail to adopt it — run it in your own VPC today, keep every byte inside your perimeter, and we'll meet your security review where you need us. As each certification lands, this page updates with the report.

Where your data goes

In self-hosted mode, the answer is: nowhere new.

Your developer
Claude Code · Codex · aider
srooter
in your VPC
Model provider
your keys · your account
Self-hosted: request content never reaches srooter the company. We see nothing.
Responsible disclosure

Found something? Tell us.

We welcome security research

Report a vulnerability privately and we'll acknowledge within two business days, keep you updated through the fix, and credit you if you'd like. Please don't disclose publicly until we've resolved it.

security@workhub.ai
Security review

Bring your questionnaire. We'll answer every line.

Evaluating srooter for a regulated or security-conscious team? Send your vendor security questionnaire and we'll work through it with you — and get you self-hosted so nothing leaves your perimeter in the meantime.

Talk to us about security Join waitlist