New: Kling 3.0, GLM-5, MiniMax M2.5, GPT-5 Series at 30% off — instant API access, no waitlist.
// legal
Last updated: February 14, 2026
CCAPI is a multimodal AI API gateway that routes requests to multiple upstream providers. Protecting your data, credentials, and API traffic is central to how we build and operate the platform. We apply industry-standard security practices across every layer of the stack and continuously review our posture as the product evolves. If you work in a highly regulated environment, we encourage you to evaluate CCAPI just as you would any third-party API dependency.
All client-to-server and server-to-upstream-provider communication is encrypted with TLS 1.2 or higher. Our hosting environment enforces network isolation between services, and production systems receive regular security patches and dependency updates. Access to production infrastructure is restricted to authorized personnel through multi-factor authentication.
API access is authenticated via API keys issued through the CCAPI dashboard. Dashboard login uses Google OAuth, removing the need for CCAPI to store or manage passwords. Internally, access to production systems and administrative tools follows role-based access control, with permissions granted on a least-privilege basis.
CCAPI operates on a zero-retention policy for API request and response content. Prompts, completions, and generated media are forwarded to the upstream provider and returned to you -- they are never stored, logged, or used for training. We collect only the minimum metadata required for billing and usage analytics, such as token counts, model identifiers, and timestamps.
Your API keys are stored as irreversible cryptographic hashes -- we never retain plaintext keys after initial generation. Keys can be revoked instantly from the dashboard at any time. Each key has individual usage tracking, allowing you to monitor activity and detect anomalies on a per-key basis.
Request rate limiting is enforced at the edge via Upstash Redis to protect both the platform and upstream providers. We monitor traffic for anomalous usage patterns and automatically throttle or block requests that indicate abuse, credential stuffing, or denial-of-service attempts.
We target detection of security incidents within 24 hours of occurrence. Upon detection, our response process includes immediate containment, root-cause analysis, and mitigation. If a confirmed breach affects user data, we will notify impacted users within 72 hours. Every incident is followed by a post-mortem review to identify improvements and prevent recurrence.
If you discover a potential vulnerability, please report it to support@ccapi.ai. We will acknowledge your report within 5 business days and work to resolve confirmed issues promptly. Responsible disclosure is welcomed and appreciated -- we ask that you give us reasonable time to address the issue before any public disclosure.
You can delete your account at any time from the dashboard settings page. Upon deletion, we permanently remove all associated data -- including usage history, API keys, and account information -- within 30 days. No recoverable copies are retained after this period.
CCAPI follows GDPR-aligned data practices. We collect only what is necessary to provide the service, respect user rights to access and delete their data, and do not sell or share personal information with third parties. Our minimal-data-collection approach means there is very little personal data in our systems to begin with.
For security questions or concerns, contact us at support@ccapi.ai.