Security
Last updated: May 13, 2026
DecimalAI takes security seriously. This page summarizes how we protect customer data and how security researchers can report vulnerabilities.
Reporting a vulnerability
Please email hello@decimal.ai with the subject line SECURITY: and a description of the issue. Include:
- A clear, reproducible description of the vulnerability
- The affected endpoint, page, or component
- Steps to reproduce, including any required payloads or credentials you created
- Optional: your name and a public handle if you want acknowledgement
We will acknowledge your report within 2 business days. We aim to triage within 5 business days and to remediate critical issues within 30 days. We do not yet operate a paid bug bounty program, but we publicly credit researchers in our acknowledgements with your permission.
Scope
In scope for disclosure:
app.decimal.ai— the web applicationapi.decimal.ai— the REST APIdecimal.ai— the marketing site- The
decimalaiPython SDK published on PyPI
Out of scope:
- Issues that require a compromised user device or browser
- Denial-of-service attacks that simply exceed published rate limits
- Self-XSS, clickjacking on pages without sensitive actions, or missing security headers without demonstrated impact
- Vulnerabilities in third-party services (Clerk, Stripe, Resend, GCP) — please report those upstream
Please use only test accounts and synthetic data. Do not access or modify other customers’ data. Acting in good faith within this scope, we will not take legal action against you.
Our security practices
- Encryption in transit — TLS 1.2+ for all HTTP traffic; HSTS enabled.
- Encryption at rest — customer-provided LLM provider keys are encrypted with Fernet (AES-128-CBC + HMAC-SHA256). The encryption key is held in Google Cloud Secret Manager and is not embedded in source or container images.
- Authentication — primary auth is via Clerk OAuth. API key auth uses SHA-256-hashed keys; raw keys are shown only once at creation.
- Webhook integrity — Stripe webhooks verify HMAC-SHA256 signatures. Other inbound webhooks (DeepEval, LangSmith) use shared-secret verification.
- Least-privilege IAM — the Cloud Run service account has scoped access to only the secrets and Cloud SQL instance it needs.
- Audit logging — consequential mutations (regression-flag changes, billing events, key creation) are recorded in an append-only
audit_logtable. - Dependency hygiene — we monitor first-party dependencies via Dependabot and triage CVEs as they arrive.
- Backups — Cloud SQL runs daily snapshots; tested restores are part of our pre-launch checklist.
Subprocessors
See the Privacy Policy for our current list of subprocessors.
Acknowledgements
We will publish a list of researchers who have responsibly disclosed vulnerabilities to us here. None yet — be the first.
Machine-readable contact
Our security.txt file at /.well-known/security.txt follows RFC 9116.