API7.ai Trust Center

API7.ai holds SOC 2 Type II, ISO/IEC 27001:2022, HIPAA, and GDPR compliance certifications. Our SOC 2 report is available under NDA — click the "Request Access" button in the Resources tab to submit a request. Our security team will review and provide the report to your business email.

API7.ai employs multiple layers of security including TLS encryption for data in transit, AES-256 encryption for data at rest, role-based access control (RBAC) for dashboard and API traffic, mutual TLS (mTLS) for service-to-service communication, Web Application Firewall (WAF), audit logging with sensitive field masking, and continuous security monitoring. All credentials, SSL certificates, and plugin configurations are encrypted before storage.

API7.ai uses AES-256 encryption for data at rest and TLS 1.2+ for data in transit. User credentials are salted and encrypted using PBKDF2 before storage. SSL certificates and sensitive plugin configuration fields are also encrypted. Audit logs mask sensitive information to prevent accidental exposure.

API7 Gateway provides comprehensive access control through Role-Based Access Control (RBAC) for both dashboard and API traffic management, Access Control Lists (ACLs) for fine-grained API consumer permissions, permission policies and boundaries for organizational-level controls, and IP restriction for allow/deny list enforcement. The platform also supports integration with external identity providers via OAuth 2.0/OIDC and SSO.

API7 Gateway provides built-in security features including authentication (Key Auth, Basic Auth, HMAC, JWT, OAuth 2.0/OIDC), mutual TLS (mTLS) for both client-to-gateway and gateway-to-upstream communication, Web Application Firewall (WAF) with monitor and block modes, rate limiting and traffic throttling, data masking for sensitive fields, IP allow/deny lists, and comprehensive audit logging.

API7.ai maintains a comprehensive vulnerability management program that includes Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), dependency scanning, and container image scanning. We continuously monitor for CVEs affecting our products. When vulnerabilities are identified, we follow a patch → release → advisory workflow. We also conduct periodic security audits by reputable third-party security firms.

Yes, API7.ai engages reputable third-party security firms to conduct periodic penetration testing. The results are available under NDA — you can request access through the Resources tab on this page.

Yes, API7.ai supports data residency requirements in multiple regions. For API7 Cloud, data processing and storage infrastructure is available in designated regions. For API7 Enterprise (self-hosted), customers have full control over data location as the platform is deployed in their own infrastructure. Contact our team for specific regional availability.

API7.ai collects personal information necessary to provide our services, including name, job title, company, phone number, email address, mailing address, and usage preferences. We also collect technical data such as server logs, device information, and cookies. We do not sell personal data to third parties. For full details, please refer to our Privacy Policy.

API7.ai is committed to GDPR compliance. Data subjects can exercise their rights including access, correction, and deletion of personal data by contacting support@api7.ai. We process such requests in accordance with applicable data protection laws and respond within the legally required timeframes.

API7.ai maintains a documented incident response plan with defined roles, communication protocols, and remediation procedures. When a security incident is detected, our contingency plans are activated immediately. Affected customers are notified within 72 hours of confirmed incidents, as required by applicable regulations. Post-incident reviews are conducted to prevent recurrence.

API7 Enterprise offers a 99.95% uptime SLA for on-premises deployments. API7 Cloud provides a 99.9% monthly availability target. Our Technical Support Policy details support tiers with response times ranging from 30 minutes (Critical, Enhanced) to 16 business hours (General, Standard). Full details are available in our Technical Support Policy.

Yes, API7.ai maintains business continuity and disaster recovery procedures including regular server backups, data redundancy across availability zones, and documented recovery procedures. API7 Gateway itself is designed for high availability with active-active clustering, health checks, and automatic failover capabilities.

API7.ai follows a structured change management process. All code changes go through peer review, automated CI/CD pipelines with security scanning (SAST, DAST, dependency scanning), and container image signing. Releases follow semantic versioning with detailed changelogs and security advisories when applicable.

Please report security vulnerabilities privately through our GitHub Security Advisory system. Do not open public issues for security vulnerabilities. Include a description, steps to reproduce, affected versions, and potential impact. We follow coordinated disclosure — we will acknowledge your report promptly, keep you informed of progress, and coordinate disclosure timing with you before any public announcement.