Security

Security at a glance

• BYOK — your API keys, encrypted per tenant; never logged
• Tenant isolation — tenant_id on every JWT-backed request and storage path
• Role separation — admins configure keys; users run apps without handling secrets
• No data resale — subscription revenue only; we do not sell your prompts

Flexible BYOK security

• Customer-owned key management
• Audit-friendly governance controls
• Encrypted credentials end-to-end

Tenant isolation

• Multi-tenant architecture on one platform
• JWT-scoped APIs and object storage paths
• No cross-tenant key or document access

Provider choice

• OpenAI, Together, and Anyscale routing
• Training policies set in your provider account
• No token markup from EZ4Youtech

Core security controls

How we protect tenant data and credentials in the SaaS application.

• JWT authentication with tenant_id, plan, and role
• Fernet-encrypted BYOK keys in MongoDB Atlas
• Plan-based app and seat enforcement server-side
• Tenant-prefixed document storage (S3-compatible)

Authentication and access

• JWT on every authenticated API call
• bcrypt password hashing; login rate limiting per IP
• RBAC — superadmin, partner, tenant admin (BYOK setup), agent (apps only)
• Plan gating — plan_gating.py and seat_limits.py enforce catalog and seats

BYOK and AI routing

• Tenant admin saves provider keys once; users pick model per run
• Keys encrypted at rest; decrypted only for the outbound provider request
• No API keys in application logs
• Provider training / retention governed by your account settings

Data handling

• Uploads and run history under /tenant_id/... storage paths
• Not stored as a permanent chat log on OpenAI or Microsoft consumer products
• Production security headers (HSTS, X-Frame-Options, Referrer-Policy) when APP_ENV=production

Safer than consumer AI chat

Why business teams choose a BYOK workflow platform over generic ChatGPT or Copilot for daily work.

• You control model training via your paid provider account
• Tuned apps use fewer tokens and keep context in the platform
• Workflow history stays in your tenant — not sold for ads or training

Deployment and operations

Target production topology for the EZ4Youtech platform (USA-first).

• Public site on CDN; app UI and API on dedicated hosts
• MongoDB Atlas + S3-compatible storage per tenant
• BYOK calls routed to your chosen provider per request

Layer	Component	Security role
Edge	HTTPS / CDN	TLS for the public site and static assets
App	Streamlit + FastAPI	JWT auth, RBAC, plan gating, BYOK routes
Data	MongoDB Atlas	Tenants, users, encrypted credentials
Storage	S3	Tenant-scoped documents and artifacts
AI	BYOK providers	Your keys, your provider policies
Ops	CloudWatch / Datadog	Logs and alerts without logging secrets

Agent request flow

1. Agent signs in → JWT with tenant_id and plan.
2. App catalog loaded per plan; admin BYOK keys already configured.
3. Run submitted → API decrypts tenant key, calls provider, stores result under tenant scope.
4. Usage recorded for dashboards — not resold to third parties.

Technical depth: Architecture & security guide · Getting started

Your responsibilities

• Protect admin credentials and rotate BYOK keys per your policy
• Configure training / opt-out in your AI provider console
• Human-review client-facing outputs (especially regulated industries)
• Choose plan tier and seats that match real headcount

What we do not claim

Unless agreed in a signed enterprise agreement, we do not represent SOC 2 Type II, ISO 27001, HIPAA compliance, or FedRAMP authorization. We provide architecture documentation, pilot deployments, and honest answers for your security questionnaire.