Trust

Security at Aridel

Aridel sits between you and the major AI providers. We've built the service so your prompts, files, and account stay protected in transit, at rest, and inside the routing pipeline.

Note — Aridel is an early-stage product built by an independent team. We follow industry best practices on AWS but do not yet hold formal certifications such as SOC 2 or ISO 27001. If your organisation requires either, please reach out before onboarding sensitive workloads.

Encryption

In transit: all client ↔ server traffic uses TLS 1.2+ (HTTPS & WSS). The same applies to every call we forward to model providers.
At rest: conversation history, results, and uploaded files are stored in AWS-managed services (DynamoDB, S3) with server-side encryption enabled by default.
Secrets: third-party API keys (OpenAI, Anthropic, Google, Pinecone) live in AWS Secrets Manager. They are never logged or exposed to the browser.

Authentication

Accounts are managed by AWS Cognito, with email/password and Google OAuth as supported methods.
Passwords must meet length, case, number, and special-character requirements.
Sessions are short-lived JWTs scoped to your user pool; you can sign out at any time to invalidate the current session.

Data handling

Prompts you submit are forwarded to the model provider chosen by Route AI. We retain prompts, responses, and routing metadata so you can see your history, get accurate billing, and so we can improve routing quality over time. We do not sell your data to any third party.

Conversation history: Stored in DynamoDB, scoped per user. Visible only inside your account.
Uploaded files: Stored in S3 with server-side encryption. Used only to fulfil the prompt you attached them to.
Telemetry: Anonymised routing decisions and latency metrics are aggregated to improve model selection. No prompt content is shared externally for this.
Training: We do not train models on your prompts. Provider-side training behaviour follows each provider's API policy (we use API endpoints that are not used for training by default where the provider exposes that distinction).

Account & data deletion

You can delete individual conversations at any time from the sidebar. To request full account deletion (which removes conversation history, stored files, and billing identifiers), email support@promptrouterai.com from the address tied to your account. We'll confirm within 7 business days.

Subprocessors

We share data with the following services strictly to deliver the product:

AWS (us-east-1) — compute, storage, auth, secrets. Hosts the entire service.
OpenAI, Anthropic, Google AI, DeepSeek, Moonshot (Kimi), Alibaba (Qwen), Amazon Bedrock — model providers we route prompts to. We send only the prompt content the user submits.
Pinecone — vector database used by the prompt classifier.
Stripe — billing. We never see or store full card numbers.

Infrastructure

Backend runs on AWS Lambda with IAM-scoped roles per function.
Networking is HTTPS-only at the edge via API Gateway and Amplify Hosting.
Code is deployed by infrastructure-as-code (AWS CDK), giving us a reviewable, version-controlled deployment history.

Reporting a vulnerability

Found something that looks like a security issue? Please email security@promptrouterai.com with a clear write-up and reproduction steps. We acknowledge reports within 3 business days and credit responsible disclosure where the reporter wants to be named.

Last updated — . This page evolves as we ship. Material changes are timestamped here.

← Back to home