REQUEST LIFECYCLE
Client (your editor) │ ├─ TLS 1.3 encrypted connection │ ▼Zephex Edge (Vercel / AWS) │ ├─ API key validated (SHA-256 hash comparison) ├─ Rate limit checked (Upstash Redis) ├─ Usage counter incremented │ ▼MCP Proxy (AWS ECS, Fargate) │ ├─ Tool arguments parsed ├─ Tool executed in isolated context ├─ Result assembled in memory │ ▼Response returned to client │ ├─ Tool input/output discarded from memory ├─ Only metadata logged (tool name, timestamp, status) └─ No code, no prompts, no outputs persisted
The entire tool call — from receiving your arguments to returning the result — happens in a single request/response cycle. There is no queue, no background job, and no intermediate storage. Once the HTTP response is sent, all tool-related data is garbage-collected from process memory.
WHAT IS STORED vs. WHAT IS NOT
| Data | Stored? | Where | Duration |
|---|
| Your source code | No | — | — |
| Tool input arguments | No | — | — |
| Tool output / response body | No | — | — |
| Your AI prompt / chat context | No | — | — |
| File contents accessed by tools | No | — | — |
| Tool name called | Yes | Supabase (encrypted at rest) | 90 days |
| Timestamp of call | Yes | Supabase | 90 days |
| Response status (success/error) | Yes | Supabase | 90 days |
| Latency (ms) | Yes | Supabase | 90 days |
| API key hash | Yes | Supabase | Until revoked |
| Hashed IP address | Yes | Supabase | 90 days |
ENCRYPTION
In Transit
- All connections use TLS 1.3 (minimum TLS 1.2 for legacy clients).
- HSTS enforced with 1-year max-age and includeSubDomains.
- Certificate transparency logs monitored for unauthorized issuance.
- HTTP connections are rejected (not redirected) at the MCP endpoint to prevent accidental plaintext transmission.
At Rest
- Database storage uses AES-256 encryption on encrypted volumes.
- API key secrets are SHA-256 hashed before storage — plaintext is never retained.
- MFA secrets are encrypted with AES-256-GCM using a per-user derived key.
- Backup snapshots inherit the same encryption as the primary database.
PROCESS ISOLATION
- Each tool call executes in an isolated async context within the proxy process.
- No shared mutable state between concurrent requests from different users.
- The proxy runs in isolated containers — no shared host kernel with other tenants.
- Container images are rebuilt from scratch on each deploy (no layer caching of user data).
- Memory is not swapped to disk.
LOGGING POLICY
What is logged:
- Tool name, timestamp, response status, latency — for usage tracking and billing.
- Authentication events (login, logout, failed attempts) — for security monitoring.
- Rate-limit events (blocked requests) — for abuse detection.
- Error stack traces (with PII redacted) — for debugging service issues.
What is never logged:
- Tool input arguments (file paths, search queries, URLs you analyze).
- Tool output content (code, analysis results, architecture diagrams).
- API key plaintext values.
- Request or response bodies.
INFRASTRUCTURE
- All tool execution happens in isolated, stateless containers.
- No shared host kernel between tenants.
- Memory is not swapped to disk.
- Container images are rebuilt from scratch on each deploy.
- All data processing occurs in the United States.
DATA DELETION
When you delete your account (Dashboard → Settings → Delete Account):
- All API keys are immediately revoked and hashes deleted.
- Profile data, usage events, and notification preferences are removed within 30 days.
- Stripe subscription is canceled immediately.
- Billing records are anonymized (retained for tax compliance, but no longer linked to your identity).
- Audit logs referencing your account are purged within 30 days.
- Email queue entries are deleted immediately.
COMPLIANCE POSTURE
- GDPR — data minimization, right to erasure, right to portability, 30-day response SLA.
- CCPA — no sale of personal information, deletion on request.
- SOC 2 Type II — infrastructure providers maintain SOC 2 compliance. Zephex inherits these controls.
- No model training — user data is never used to train, fine-tune, or evaluate AI models.
- Data residency — all primary data processing occurs in the United States.