Trust

Security

Last updated — July 4, 2026

Security is foundational to Jetnight. This page describes the technical, operational, and organizational measures we use to protect your account, API keys, usage data, and payments.

1. Encryption

  • In transit — TLS 1.3 for all API and dashboard traffic. HSTS is enforced; legacy protocols are disabled.
  • At rest — AES-256 encryption for all stored data, including usage logs and billing records.
  • API keys — hashed and indexed; the full key is shown once at creation and never retrievable again.
  • Passwords — salted bcrypt with a work factor of 12; never stored in plaintext or reversible form.

2. Infrastructure

Isolation

  • API gateway, dashboard, database, and billing services run in separate containers with no shared filesystem.
  • Each tenant's usage data is logically partitioned; cross-tenant access is blocked at the query layer.
  • Internal services communicate over a private network; only the API gateway and dashboard are publicly exposed.

Access control

  • Least-privilege role-based access for all team members.
  • Hardware security keys (FIDO2) required for administrative access.
  • All privileged actions are logged and reviewed monthly.
  • Production access is granted on a per-incident basis and automatically revoked after 4 hours.

3. Payment security

  • We are PCI-DSS SAQ A aligned — card data is handled entirely by certified processors; our servers never touch PAN or CVV.
  • SBP transactions are routed through licensed Russian payment operators with 3-D Secure.
  • Crypto payments are verified on-chain with multi-block confirmation thresholds before keys are released.
  • Cryptobot and xRocket integrations use signed webhooks with HMAC verification and IP allow-listing.
  • Refund and chargeback events are reconciled daily against our ledger.

4. API key management

  • Keys are scoped to your account and cannot access other tenants.
  • Per-key rate limits and spending caps are enforced at the gateway before requests reach upstream providers.
  • Keys can be rotated or revoked instantly from the dashboard without contacting support.
  • Suspicious patterns (unusual geo, burst traffic, abnormal model mix) trigger automatic temporary throttling and email alerts.

5. Data protection

  • Request and response bodies are never logged; only metadata required for billing and debugging is retained for 30 days.
  • Backups are encrypted and rotated weekly; restoration is tested quarterly.
  • Data deletion requests are processed within 30 days, subject to legal retention duties.
  • See our Privacy Policy for the full retention schedule.

6. Monitoring & incident response

  • 24/7 automated monitoring for uptime, error rate, latency, and anomaly detection.
  • Intrusion detection on all public endpoints; failed auth attempts are rate-limited and alerted.
  • Incidents are triaged within 1 hour of detection; affected customers are notified within 24 hours of confirmation.
  • Post-incident reviews are published in a stripped-down form on our status page within 14 days.

7. Upstream provider security

We route requests to OpenAI, Anthropic, Google, Z.AI, DeepSeek, Moonshot, and MiniMax. Each provider maintains its own security posture; we surface their public documentation on request. We do not forward your account credentials — only the request payload and a pseudonymous identifier.

8. Compliance

  • Russia 152-FZ — personal data handling registered with Roskomnadzor.
  • GDPR — Standard Contractual Clauses for EEA user data transfers.
  • PCI-DSS SAQ A — card data fully outsourced to certified processors.
  • Annual external penetration testing by an independent firm.

9. Responsible disclosure

We welcome security research in good faith. If you discover a vulnerability:

  • Report it to security@jet-night.com with reproduction steps.
  • Give us 90 days to remediate before any public disclosure.
  • Avoid automated scanners, DoS, and accessing other users' data.
  • Confirmed, original findings are rewarded with token bundles or a monetary bounty at our discretion.

10. Contact

Security inquiries, reports, and compliance questions: security@jet-night.com. PGP key fingerprint available on request.