Security | Sprout Documentation

Data Protection

Encryption

AES-256 at rest (Firebase), TLS 1.3 in transit

Data Residency

US/EU regions based on user location

PII Handling

Minimized collection, encrypted storage

File Retention

24 hours auto-deletion from blob storage

Compliance

GDPR

Right to erasure, data portability

CCPA

Opt-out mechanism

SOC 2 Type II

Enterprise tier

PCI Compliance

Via secure payment elements (SAQ-A)

Vulnerability Mitigation

Rate LimitingUpstash Redis per user/IP

DDoS ProtectionCloudflare + Vercel DDoS mitigation

Input ValidationZod schemas on all inputs

CSP HeadersStrict content security policy

Monitoring & Logging

// Logging Framework
Framework: Winston + Vercel Log Drains
Levels: Error, Warn, Info, Debug
Redaction: API keys, PII automatically scrubbed
Retention: 30 days (Vercel), 1 year (Datadog for enterprise)

// Metrics Tracked
- request_duration_bucket (histogram)
- tool_invocation_total (counter)
- token_usage_total (counter)
- file_extraction_duration (histogram)
- subscription_revenue_total (gauge)
- active_users (gauge)

← API Reference Back to Overview →

Security & Compliance