Security & Data Handling
How 1K4 handles your data. Two modes, two policies. No ambiguity.
Two modes of operation
1K4 operates in two distinct modes with different data handling policies:
API Proxy (stateless)
Your request arrives, we validate your API key, route to the right provider, and stream the response back. No content stored. We log only billing metadata (model, tokens, cost). This is the mode used by external apps (Cursor, TypingMind, etc.).
Lab (stateful)
The Lab workspace stores conversations, project files, and agent operation logs to power the agent experience. This data is encrypted at rest and in transit. It is accessible only through your authenticated session. It is never used for model training.
API Proxy: what happens to your request
Your App
1K4 Router
AI Provider
Response
Your App
1K4 Router
AI Provider
Response
Metadata only: model, tokens, cost. No content stored.
The proxy is stateless. Request content is never written to disk, database, or log file. Body logging is disabled at the infrastructure level.
Lab: what we store and why
The Lab workspace stores data to enable agent capabilities:
- Conversations: Chat history for context continuity across sessions
- Project files: Documents, code, and assets managed by the agent
- Operation logs: Agent actions, tool calls, and task coordination data
This data is encrypted at rest and in transit. It is accessible only through your authenticated session. You may request deletion at any time.
Local models (Bridge)
When using the 1K4 Bridge with local Ollama models, all model inference runs on your hardware. The Bridge connection carries orchestration signals between Lab and your Ollama instance. Your machine does the thinking.
Billing metadata (API Proxy)
Every API request generates one metadata record for billing:
| Field | Example |
|---|---|
| Timestamp | 2026-04-08T03:21:01Z |
| Model | claude-sonnet-4-5 |
| Input tokens | 847 |
| Output tokens | 1,203 |
| Credit cost | 0.02061 |
| Latency | 2.4s |
This metadata exists for billing accuracy. Retained up to 90 days.
Encryption
- In transit: TLS everywhere. All traffic routed through Cloudflare.
- At rest: Account data and Lab content encrypted at rest on self-hosted infrastructure.
- No plaintext hops: HTTPS between every component in the chain.
Authentication
- Google OAuth and GitHub OAuth
- Magic links (passwordless email)
No password storage. Session tokens are SHA-256 hashed, stored as httpOnly Secure cookies with SameSite=Lax, and expire after 30 days. Expired sessions are automatically purged.
API key security
- Keys are scoped per project. Create multiple projects, each with its own key.
- Keys are revocable instantly. Regenerating invalidates the old one immediately.
- Shown once at generation time. Cannot be recovered after creation.
- All API traffic authenticated per-request. Invalid keys rejected before reaching any provider.
Provider data policies
When 1K4 forwards your request to a provider, that provider's data handling policies apply. All providers we work with confirm that API data is not used for model training. 1K4 forwards requests as-is; your relationship with each provider's policy is the same as a direct API call.
Questions?
Contact [email protected]