Your keys are encrypted.
Your prompts pass through.
Costr never holds either.

Costr requires you to bring your own provider keys (OpenAI, Anthropic, Google). We never issue keys, never resell them, never share them across customers. Your provider relationship stays direct — you’re billed by your provider, not us.

Provider keys are encrypted with AES-256-GCM before being written to the database. Decryption happens only in memory at the moment a request is forwarded, never logged or persisted in plaintext. If our database were compromised, the keys inside would be unreadable.

Costr is a transparent proxy. Your prompt body and the provider’s response body flow through untouched and unbuffered. We capture metadata (token counts, customer ID, latency) — never the content of what you sent or what came back.

If you sync Stripe to enable margin-per-customer views, we use Stripe restricted API keys with read-only scope. Costr cannot create charges, modify subscriptions, or access cards. We map your customers to your AI spend — nothing else.

If Costr goes down, you stop trusting us, or you want to switch providers, you change one line of code (the baseURL) and you’re back to hitting OpenAI/Anthropic/Google directly. No data lock-in, no integration debt, no migration project.

Hosted on: Vercel (compute) + Supabase (database, US-East). [VERIFY]

Latency overhead: [VERIFY — measure p50 and p99 before publishing]

If Costr is down: Pass-through, fail-open. Your API calls continue directly to your provider. Costr does not block your requests. [VERIFY this matches the proxy implementation]

Data retention: [VERIFY — duration metadata is kept, and deletion timeline on account cancellation]

Encryption key management: AES-256-GCM. Keys managed via [VERIFY — KMS or in-house mechanism].

Security audits: No third-party security audit yet. Planning one before 100 paying customers.