Security & Trust Center

Security practices for API delivery

ScaleAPIs uses server-side credential handling, managed infrastructure, bounded logging, and abuse-prevention controls to operate ProdaDoc and ProdaPic responsibly.

Current Security Practices

HTTPS Access

Server-Side Secrets

Rate Limiting

Output Controls

Vendor Tracking

Security Contact

Security controls

Practical safeguards used to protect customers, engine access, and platform operations.

Protected Transport

Transport

ScaleAPIs enforces HTTPS for public service access and keeps engine credentials on the server side.

Credential Handling

Auth

API and engine credentials are treated as sensitive secrets, kept out of browser code, and used only by backend routes.

Managed Hosting Controls

Infrastructure

Production services run on managed cloud infrastructure with deployment isolation, environment variables, and operational health checks.

Bounded Operational Logging

Privacy

Logging is limited to operational, security, troubleshooting, and abuse-prevention needs rather than broad content logging.

Abuse Prevention

Controls

The platform uses request validation, rate limiting, URL safety controls, and engine-side safeguards to reduce misuse.

Vulnerability Intake

Disclosure

Security concerns can be reported through a dedicated vulnerability disclosure route and security inbox.

Vulnerability Disclosure

Security researchers and customers can report suspected vulnerabilities through our disclosure policy and security inbox.

View Disclosure Policy

Security FAQ

How are secrets protected?

Secrets used to call ProdaDoc and ProdaPic are configured as server-side environment variables and are not exposed in frontend bundles.

Can I restrict API keys to specific IPs?

Self-serve IP allowlisting is not exposed yet. Enterprise customers can discuss network restrictions and custom deployment requirements with ScaleAPIs.

Where is data processed?

Processing depends on the active service configuration and hosting regions selected for the production deployments. The subprocessor page lists the current operational vendor stack.

How do I report a security vulnerability?

Use the vulnerability disclosure policy or email security@scaleapis.com with clear reproduction steps and impact details.