Built to be evaluated.
This page describes current practice, not aspiration. If you're doing a security review and need more detail than what's here, write to us — we answer technical questions with technical answers.
Key handling
BYOK means we hold the most sensitive thing you can give us: credentials to your provider accounts. They are treated accordingly.
- Provider keys are encrypted at rest with envelope encryption — a unique data key per secret, wrapped by a master key that lives in a separate key-management service.
- Keys are decrypted only in memory, at call time, in the process making the provider request. Plaintext keys are never written to disk.
- Keys never appear in logs, traces, or error reports. Trace records reference providers by alias, not by credential.
- You can delete a key at any time from the dashboard or API. Deletion revokes it from the orchestrator immediately.
Data retention
Run traces — the drafts, critiques, and judge decisions behind each answer — are stored so you can replay and audit runs. You control how long.
- Retention is configurable per project, from the default window down to zero-retention mode, where traces are discarded as soon as the response is delivered.
- Your prompts, outputs, and traces are never used to train models — ours or anyone else's.
- Traces are encrypted at rest and scoped to your account.
Prompt-injection posture
A mixture pipeline moves model output between models, which is exactly where injection attacks live. The orchestrator is built around that assumption.
- The aggregator treats proposer drafts as untrusted content, not as instructions. Drafts are delimited and passed as data; a draft that says "ignore previous instructions" is judged, not obeyed.
- System prompts and tool access are isolated between layers. Proposers cannot see or alter the judge's instructions, and no layer inherits another layer's tool permissions.
- This layering follows OWASP guidance for LLM and agentic applications: treat all model-generated text crossing a trust boundary as attacker-controllable input.
Transport and infrastructure
- All traffic requires TLS 1.2 or higher, in and out.
- Provider calls go direct from our orchestrator to the provider — no intermediary proxies or resellers in the path.
- No third-party analytics or tracking runs on API paths. What your application sends to the API is seen by the orchestrator and your chosen providers, nothing else.
Responsible disclosure: found something? Tell us first.
Report vulnerabilities to security@moamao.com. We acknowledge every report within 72 hours, keep you updated while we investigate, and credit reporters who want credit. Please give us reasonable time to fix an issue before disclosing it publicly.
What we don't have — yet.
Honesty beats a wall of badges. Two things a serious evaluator will ask about are still in progress:
- SOC 2:not yet certified. A Type I audit is in planning; we'll publish status here as it progresses.
- SSO: single sign-on (SAML/OIDC) is coming with the Team plan.
Open beta: stop betting everything on one model.
Create a free account, generate an API key, and run your first mixture in minutes — or watch it work in the playground first. BYOK from day one.