Security

Security built into the platform.

Datpaq is engineered as zero-trust from the ground up. Every API call authenticates with a key over TLS, traffic is rate-limited per plan, activity is audit-logged, and teams run as isolated tenants — the same plumbing across the REST API, the CLI, and the MCP server.

Contact us about securityHow agents authenticate

How we protect the platform

Security practices

The controls that apply to every Datpaq account, key, and API call.

Zero-trust architecture

Datpaq is engineered as zero-trust from the ground up. No request is implicitly trusted; every call is authenticated and authorized against the caller's key and plan.

API-key authentication

Requests carry a Datpaq API key as an x-api-key or Authorization: Bearer header. One key works across the REST API, the CLI, and the hosted MCP server, and keys are managed from the dashboard.

Encrypted in transit

All API traffic is served over HTTPS, so requests and responses are encrypted with TLS between your client and Datpaq.

Tiered rate limits

Every plan enforces rate limits and a flat monthly request ceiling, bounding traffic per tier and throttling abuse or accidental loops instead of billing open-ended overage.

Audit logging

Datpaq records request, error, security, business, and performance events, giving teams a trail of how their keys and APIs are used.

Multi-tenant isolation

Teams are isolated tenants. Account authentication is handled by Clerk, and each team's keys, usage, and audit history stay scoped to that team.

Secure billing

Payments are processed by Stripe. Datpaq does not store your card details; billing runs through Stripe's PCI-compliant infrastructure.

Reliability

Datpaq targets a 99.9%+ uptime SLA across tiers on multi-region infrastructure, so the platform stays available as your traffic grows.

Responsible disclosure

If you believe you have found a security vulnerability in Datpaq, please let us know through the contact page so we can investigate and respond. We appreciate reports made in good faith.

Report a security issue

FAQ

Common security questions

Quick answers about how Datpaq handles access, encryption, and logging.

How does Datpaq secure API access?

Every request authenticates with a Datpaq API key created in the dashboard, sent as an x-api-key header or as Authorization: Bearer. The same key works across the REST API, the CLI, and the hosted MCP server, and the platform is engineered as zero-trust from the ground up, so no request is implicitly trusted.

Is API traffic encrypted?

Yes. All Datpaq API traffic is served over HTTPS, so requests and responses are encrypted with TLS in transit.

Does Datpaq keep audit logs?

Yes. Datpaq records request, error, security, business, and performance events, giving teams an audit trail of how their keys and APIs are used.

How does Datpaq protect against abuse and runaway usage?

Each plan has tiered rate limits and a flat monthly request ceiling, so traffic is bounded per tier and abuse or accidental loops are throttled rather than billed as open-ended overage.

How do I report a security issue?

Reach the Datpaq team through the contact page. We welcome responsible disclosure of potential vulnerabilities.