Stipend handles API credentials and spend data for your workforce. We treat that responsibility as a first-order architectural constraint, not a feature.
Audited annually. Controls cover access management, encryption, availability, and change management across all infrastructure.
All data encrypted at rest (AES-256) and in transit (TLS 1.3). API keys are encrypted with per-tenant keys before storage.
SAML 2.0 and OIDC for single sign-on. SCIM for automated user provisioning and deprovisioning synced with your identity provider.
Data processing agreements available. Right-to-erasure supported. No prompt or response content is stored or logged by Stipend.
Stipend runs on isolated infrastructure with no shared tenancy at the compute layer. Our gateway processes requests in memory and does not persist prompt or completion content.
Every action in Stipend is scoped to authenticated, authorized principals. There is no anonymous access to any API surface.
Stipend processes API requests to enforce budget and policy controls. We do not store, log, or inspect the content of prompts or completions passing through the gateway.
For security questions, to report a vulnerability, or to request our SOC 2 report, contact security@stipend.dev.
Stipend is in early alpha. Apply for access — qualified teams can use Stipend at no cost during alpha, and we'll onboard your team personally.
We'll review your request and reach out if your team is a fit for alpha onboarding.