WhiteBox is built for teams who need to trust their AI outputs. That means we hold ourselves to the same standard — every key, every decision, every audit log.
API keys are hashed with SHA-256 before storage. We never hold the plaintext — not in logs, not in backups, not in memory after issuance. Only you know your key.
All connections to whiteboxhq.ai and grpc.whiteboxhq.ai enforce TLS 1.3 with HSTS. Older protocol versions are rejected at the load balancer. Certificate transparency logs are monitored continuously.
Every decision write, key rotation, threshold change, and human-review verdict is appended to an append-only audit log. Logs are immutable, tamper-evident, and cannot be deleted by users.
WhiteBox runs on encrypted-at-rest DigitalOcean infrastructure. Decision payloads are encrypted using AES-256 before being written to persistent storage. Encryption keys are stored in a separate key management service, not co-located with the data.
Internal services communicate over private VPC networking. The public API surface is the only ingress — there is no SSH exposure on production hosts. All administrative access is gated by hardware security keys.
We welcome responsible security research. If you discover a vulnerability in WhiteBox, please report it to [email protected] before public disclosure.
We commit to: acknowledging your report within 2 business days, providing a status update within 7 days, notifying you when the vulnerability is patched, and crediting you in our security acknowledgements (if desired). We ask that you give us a reasonable window — typically 90 days — to address the issue before disclosure.
A formal bug bounty program is coming soon. In the meantime we will acknowledge and reward high-severity findings on a case-by-case basis. Critical vulnerabilities (RCE, authentication bypass, data exfiltration) will be prioritized for immediate triage and compensation.
WhiteBox is currently pursuing SOC 2 Type II certification. Our controls framework covers availability, confidentiality, and processing integrity across all production systems.