Your AI, your keys,
your data.

Security FAQ

How are my LLM provider keys stored if I use BYOK?

AES-256-GCM encryption at rest. Keys are decrypted only inside the AgentService request handler, never logged, never returned over the API, and never exposed to other users. The encryption key itself lives in Fly secrets, separate from the database.

Who can see my chats?

Only you. Niyra's backend stores conversation history scoped to your user ID; Avuvo staff don't read your chats. If you contact support, we don't auto-read your conversation — we ask you to share specific snippets you want us to debug.

Where is my data hosted?

Primary: PostgreSQL on Supabase (US-East). Compute on Fly.io. Vector memory in pgvector. Email outbound via Resend. Voice via ElevenLabs/Deepgram. Composio for integrations. All in transit over TLS 1.3.

Does Niyra train on my data?

No. We don't fine-tune models on user data. Memories you save are scoped to your account for retrieval only. LLM providers (Anthropic, OpenAI) have their own data-handling policies — we use Anthropic's enterprise terms when available.

What if I find a security vulnerability?

Report responsibly to security@niyra.ai. See https://niyra.ai/.well-known/security.txt for full disclosure policy. We respond within 48 hours and credit reporters on our hall of fame.

Can I delete my data?

Yes. The Settings panel has a 'Delete everything' option that wipes conversations, memories, records, and credentials. The deletion completes within 30 days (some backups roll off on a delay). Account closure also disconnects all OAuth integrations.

Is there an audit log?

Yes for destructive actions. Tools tagged 'destructive' (delete event, archive email, send message) record an audit entry visible in Settings → Activity. Tool calls also log their inputs and outputs (visible to you, not us) for receipt-style review.

Related reading