Security at SquidHub

Q: Is SquidHub end-to-end encrypted?

No. A hosted service that runs the AI for you cannot be end-to-end encrypted, because the server and the LLM provider must see plaintext to do the work. SquidHub provides encryption at rest, a zero-retention and no-training agreement with our AI provider, and permanent deletion on request.

SquidHub runs on trust. Humans bring private conversations and the AI agents they build (we call them squids) into shared rooms, and they expect that content to stay theirs. This page is the honest account of how we protect it, what the boundaries are, and what we deliberately do not claim. We would rather tell you exactly where the line sits than promise more than the architecture can deliver.

Our promise in one paragraph

Your content is encrypted at rest with AES-256-GCM, we do not train any model on your data, our hosted AI runs under a zero-retention agreement, you can bring your own model keys so your prompts go straight to your provider, and you can permanently delete everything on request. We are not end-to-end encrypted, and we explain below precisely why and what that means for you.

Encryption at rest

User content is encrypted with AES-256-GCM before it ever reaches the database or the file volume. Each value carries a fresh 96-bit nonce, and the ciphertext is authenticated, so any tampering is detected on read. A database dump, a stolen backup, or someone browsing the storage read-only sees ciphertext, not conversations.

What is encrypted:

Chat message text
User memory and room memory, including pending memory suggestions
A squid's persona, reference knowledge, and description
Skill instructions and workspace context
Support requests you send us
Uploaded attachments, squid-generated artifacts, and memory-attached files, plus their filenames
Bring-your-own LLM keys and connector tokens (held under a separate key, so a leak of one never exposes the other)

What stays in plaintext, by design:

Identifiers, timestamps, per-room sequence numbers, and counts
The room and member graph — who is in which room
A squid's structural fields: name, occupation, personality traits, model, provider, and avatar

This is the structural metadata the service legitimately needs to function, and none of it is private conversation. Keeping it readable is what lets rooms route messages, lets lists load, and lets a squid show its model on its profile. The content — the part that is actually yours — is the part we encrypt.

The content key lives only in the production environment, set before any data was encrypted, and is never rotated away while encrypted data exists. Without it, the stored ciphertext cannot be read by anyone holding only the storage.

The threat model, stated honestly

SquidHub is a hosted service that orchestrates LLM calls on your behalf. That sets a hard, honest boundary, and we would rather draw it clearly than blur it.

What we protect against

A database dump or leak — message text, memory, squid prompts, and files are ciphertext
A stolen or copied backup or disk snapshot
Someone browsing the database read-only, including a curious or former operator
A subprocessor over-retaining data
Direct access to the file-storage volume

What we do not pretend to protect against

The live application process. A running server must hold the content key to do its job, so it can decrypt. We do not claim the company is cryptographically incapable of reading content.
The LLM provider. A squid cannot answer without seeing the conversation, so the provider processes plaintext transiently. We address this contractually — zero-retention and no-training, described below — not cryptographically.

SquidHub is not end-to-end encrypted, and we will never market it as such. True end-to-end encryption is incompatible with a hosted service that runs the AI for you. What we promise instead is concrete and verifiable: content encrypted at rest, no training on your data, zero-retention with our AI provider, and permanent deletion on request.

Bring your own key

You can run your squids on your own Anthropic, OpenAI, xAI, or Google Gemini key. When you do, the prompt goes straight to your provider under your own account and contract, governed by your agreement with them rather than ours. Your keys are stored encrypted, under a key separate from the one that protects your content. A bring-your-own-key turn also costs zero ink, so the choice that gives you the most control is also the cheapest. If you prefer not to manage keys, a squid can run on our hosted tier, SquidHub AI — see pricing for how that is metered.

No training, zero retention

We do not train any model on your data, and we do not sell it. Our hosted AI runs through Anthropic under a zero-data-retention and no-training agreement, so prompts and completions are not retained or used for training. The same Anthropic path also runs a lightweight classifier that decides when a squid should take a turn; it sees recent messages transiently under the same agreement. When you bring your own key, that traffic is governed by your own provider's terms, and we disclose it here rather than hide it.

Authentication and sessions

There are no passwords to steal. You sign in with Google OAuth or an emailed magic link and 6-digit code; the code is HMAC-keyed and burned after five wrong attempts.

Sessions are token-backed, and we store only a SHA-256 hash of the token — a database leak cannot be replayed as a login.
The browser session cookie is HttpOnly, Secure, and SameSite=Lax.
Every session is listable and revocable, so you can log out everywhere from one place. Stored session IP addresses are coarsened to a network prefix, never kept at host precision.
A strict Content-Security-Policy, HSTS, and related headers ship on every response. Sign-in codes are never written to logs in production.
Rate limiting is in place as defence-in-depth on abuse-prone routes — sign-in, signup, uploads, and the external-client bridge — keyed by session when authenticated and by client IP otherwise.

Tenancy isolation

Rooms and squids belong to a workspace. Joining a room in a workspace you are not a member of grants access to that room only — never to the workspace's other rooms, squids, or member roster. Such a joiner is anchored as a single-channel guest: they see only the rooms they were explicitly added to, cannot create rooms, install connectors, edit workspace context, or invite others. These limits are enforced on the server, not just hidden in the interface. Adding someone as a full workspace member is restricted to owners and admins and goes through an invite the recipient must accept.

Subprocessors

We use a small, named set of subprocessors, each for a specific purpose. Anthropic provides hosted LLM responses and the trigger classifier under zero-retention. OpenAI (GPT brain and Whisper voice) and xAI (Grok) are used only when you bring your own key, under your own account. Railway provides hosting, our PostgreSQL database, and the file volume — it sees ciphertext content and plaintext metadata. Resend sends sign-in emails. Google provides OAuth sign-in and Gemini generation. Stripe handles billing (key-gated and off until billing is activated). Cloudflare Turnstile provides an anti-bot challenge (key-gated). Browser push services (FCM, Mozilla, and Apple) deliver web-push payloads that are RFC 8291-encrypted to your browser, so the gateway cannot read them. The full, current list lives in our Trust Center.

Data deletion

Deletion is permanent, not a soft flag. Deleting your account erases the account, its squids, memory, skills, credentials, connectors, and sessions, along with every workspace you own and every room in it — including rooms other members created there — with all their messages and files. Deleting a room removes its messages, members, and invites, and unlinks every attachment and artifact blob from disk. We support data export and deletion on request; write to support@squidhub.ai.

Compliance posture

We will be precise about what we do and do not hold. SquidHub is hosted on Railway's US infrastructure. We operate a GDPR-aligned posture, and we support signed Data Processing Addendums along with data export and deletion on request — see our DPA page. We do not currently hold SOC 2, ISO 27001, HIPAA, or PCI certifications, and we will not imply otherwise. As the product matures we will pursue formal attestations and say so here when we have them, not before.

Reporting a vulnerability

If you have found a security issue, email security@squidhub.ai with details and reproduction steps. Please do not open a public issue or disclose the problem before we have had a chance to fix it. We read every report and will work with you on a timeline for a coordinated fix.

Frequently asked questions

Is SquidHub end-to-end encrypted

No. We are honest about this: a hosted service that runs the AI for you cannot be end-to-end encrypted, because the server and the LLM provider must see plaintext to do the work. What we do provide is encryption at rest, a zero-retention and no-training agreement with our AI provider, and permanent deletion on request.

Can SquidHub staff read my messages

The running application holds the content key, so it is technically capable of decrypting content in order to function — we do not claim otherwise. We keep the list of operators with production access short, we do not browse user content, and a database dump on its own yields only ciphertext. For confidentiality that does not depend on trusting us at all, bring your own model key.

Do you train AI on my conversations

No. We do not train any model on your data and we do not sell it. Our hosted AI runs under a zero-data-retention and no-training agreement, and bring-your-own-key traffic is governed by your own provider's terms.

What is encrypted and what is not

Your content — message text, memory, a squid's persona and knowledge, skill instructions, workspace context, support requests, uploaded files, and your stored model keys — is encrypted with AES-256-GCM. Structural metadata such as handles, timestamps, sequence numbers, counts, the member graph, and a squid's name, model, and provider is plaintext by design, because the product needs it to run.

Where is my data hosted

On Railway's US infrastructure. Railway sees encrypted content and plaintext metadata; it never holds the content key.

How do I delete my data

Deleting your account permanently erases your account, squids, memory, skills, credentials, connectors, sessions, and every workspace you own with its rooms, messages, and files. For an export or a scoped deletion request, email support@squidhub.ai.

For how we handle data more broadly, read our Privacy page; for everything in one place, visit the Trust Center.