How does Lava handle data security and privacy?

Security & Privacy

Lava is designed as a transparent proxy — we route your API requests to AI providers with minimal overhead and maximum security.

Data handling

  • No prompt storage. Lava does not store the content of your API requests or responses. Prompts and completions pass through our proxy and are forwarded directly to the AI provider.
  • Metadata only. We log request metadata for billing and analytics: model used, token counts, latency, timestamps, and cost. The actual prompt/completion text is not retained.
  • Encrypted in transit. All traffic between your application, Lava, and AI providers is encrypted with TLS 1.2+.

Authentication & access control

  • API key authentication. Each merchant gets unique secret keys for API access.
  • Forward tokens. End users authenticate via forward tokens that are scoped to their wallet and connection.
  • Clerk-based dashboard auth. Dashboard access is secured through Clerk with multi-factor authentication support.
  • Phone-based wallet auth. Wallet creation uses SMS OTP verification via Twilio.

Financial security

  • PCI compliant. Payment processing is handled entirely by Stripe — Lava never touches raw card numbers.
  • Prepaid model. The wallet system eliminates credit risk — users can only spend what they have already funded.
  • Auditable ledger. Every transaction is recorded in our transfer-based ledger with full traceability.

Infrastructure

  • SOC 2 compliant hosting. Deployed on Vercel (SOC 2 Type II) with PlanetScale (SOC 2 Type II) for database.
  • Redis caching. Upstash Redis for performance caching — no sensitive data stored in cache.
  • Rate limiting. Built-in rate limiting to protect against abuse.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.