The smallest possible data footprint, by design.
Chainkit-cloud is a telemetry product, not an RPC proxy. Your blockchain traffic and provider credentials never reach us — the SDK calls upstream providers directly. What does reach us is what your SDK chose to send: the event envelope (filtered by a banlist), plus any caller-controlled debugging metadata and upstream error text the operator opted into. We don't pretend the bypass doesn't exist; see /privacy for the exact split.
We never see your RPC traffic
The chainkit SDK calls blockchain providers directly. Our cloud is observability + remote configuration only — the request path bypasses us by design. Take us out of your stack any time and your apps keep working.
Banlist on the event envelope
The top-level telemetry envelope — chain, network, operation, provider, attempts trace — runs through a banlist that rejects any property name matching addresses, xpubs, transaction ids, amounts, satoshi values, WIFs, or "key" suffixes. The banlist deliberately does NOT cover the caller-controlled metadata bag or upstream error text; those are operator-owned escape hatches. See /privacy for the full breakdown.
API keys are SHA-256 hashed
When you mint an API key the plaintext is shown exactly once. We store only the SHA-256 hash plus a routable prefix + last-four for display. We cannot reveal a lost key. That’s the point.
Encrypted at rest, encrypted in transit
MFA secrets and invitation tokens are AES-256-GCM at rest. All public endpoints terminate TLS. Postgres + Redis run on a private VPC; no public database endpoints.
Tiered retention windows
Raw event rows: 7 days by default. 1-minute aggregates: 30 days. 1-hour aggregates: 13 months. Per-plan overrides land with paid tiers. Aggregates carry no raw identifiers — only counts, percentiles, and classified error labels.
Open core
The SDK and the cloud agent ship MIT-licensed. The cloud control plane is source-available proprietary. The hot path — provider routing, scoring, retry — lives in code you can read and fork.
How long we keep what
These are the defaults. Paid tiers can extend each window. Aggregate rows (events_1m, events_1h) carry only counts and percentiles. Raw event
rows can carry whatever the SDK attached via operation metadata — that's an operator
decision, not a platform promise; the privacy notice spells out exactly
what's caller-controlled.
| Tier | Retention (default) | Why it exists |
|---|---|---|
| events_raw | 7 days | per-event drill-down, attempts trace |
| events_1m | 30 days | charts, alerts, budgets |
| events_1h | 13 months | historical baselines |
| score_events | 7 days | live scoreboard, score history |
| alert_events | 90 days | firing history audit trail |
What we're building toward
Honest list: the things we know our security-conscious customers will ask for. None of these are shipped today, but they are on the engineering roadmap rather than the marketing brochure.
- SOC 2 Type II — audit window scoped, not yet started.
- Per-project DEK encryption — envelope encryption for the future provider-credential vault.
- SSO / SAML / SCIM — deferred to enterprise tier.
- Region pinning — single region today, EU + US planned.
Security questions before signing up? Email security@chainkit.dev — happy to walk you through the threat model or sign whatever DPA / NDA you need.