A gateway you can audit in an afternoon.

Every /v1/* request requires a qlaud-issued API key (qlk_live_* prefix). We store only the SHA-256 hash, never the secret itself. Verification happens on the edge in ~5ms — D1 lookup the first time, then cached for 60 seconds in our edge KV. Revoking from the dashboard purges the cache immediately, no waiting period.

Login, signup, MFA, OAuth, password resets and email verification are handled by Clerk — we never see your password or session credentials. The qlaud edge only sees the verified bearer token and the user id it resolves to. Master-scoped keys can mint per-user keys with hard spend caps; standard-scoped keys can only call inference endpoints.

We hold one shared key per upstream provider as an encrypted edge secret. Customer requests are authenticated by your qlk_live_* key — we then attach our provider key on the outbound call to OpenAI / Anthropic / DeepSeek / etc. Your key is never forwarded; the upstream sees qlaud, not your customer.

Per-customer cost attribution lives in our own usage ledger keyed by (user_id, key_id, model_slug). Customers never see each other's usage; upstream providers never see your end-customer dimensions.

Each tenant's wallet lives in a dedicated single-threaded SQLite instance that only the qlaud edge can talk to. Atomic by construction; no two requests can race the same balance.

Wallet movements (debits + credits) are idempotent on a request id. A retried Stripe webhook, a network hiccup that double-fires a debit — both are caught at the ledger's primary-key constraint. Replaying an event ten times moves the balance once.

Stripe holds your card data, not us — Checkout runs on checkout.stripe.com. We receive a verified webhook on completion and credit the wallet.

Our edge logs the metadata needed to bill and debug: request id, model slug, provider, token counts, latency, status. We do not log prompt content or response bodies. The underlying gateway layer can be configured to log raw bodies for ops debugging; that's off by default and we don't turn it on without a written request.

Edge access logs (status codes, IPs) live for 30 days in object storage. Wallet ledger and usage events live in our database indefinitely — you can request deletion under GDPR / CCPA from the dashboard.

The data plane is 100% serverless edge code — no VPS, no Kubernetes, no long-running processes for an attacker to find. Each request runs in an isolated V8 sandbox with no shared filesystem, no shared memory, and no per-tenant network stack to escape.

The control plane (dashboard) runs on the same edge runtime. Static + server routes; no Postgres, no Redis. The whole production surface is auditable in a single deployment manifest.

Today: qlaud inherits the security posture of its dependencies — Cloudflare (SOC 2 Type II, ISO 27001), Clerk (SOC 2 Type II), Stripe (PCI DSS Level 1).

Q3 2026: engaging Vanta to begin SOC 2 Type II readiness for the qlaud application itself. Certification follows after the observation window.

If you need a DPA or BAA today: email security@qlaud.ai. We have templates ready for both.

Email security@qlaud.ai. PGP key on request. We acknowledge within 24 hours. Critical bugs land in production within 72 hours of confirmed reproduction.

We don't run a paid bounty yet — but we publicly credit researchers in this page's blog when fixes ship.