A gateway you can audit in an afternoon.

Every /v1/* request requires a Clerk-issued API key (ak_* prefix). We verify it on the edge via clerk.apiKeys.verify() and cache the result for 60 seconds in Cloudflare KV. Revoking a key from the dashboard immediately invalidates the cache via Clerk webhook — no waiting period.

We never see your password or session credentials. Clerk handles signup, MFA, OAuth, password resets and email verification end-to-end. The qlaud edge sees only the verified bearer token and the Clerk user_id it resolves to.

We hold one shared key per upstream provider as a Cloudflare Worker secret. Customer requests are authenticated by your ak_* key — we then attach our provider key on the outbound call to DeepSeek / Groq / OpenAI / etc. Your key is never forwarded.

Per-customer cost attribution flows through the cf-aig-metadata header Cloudflare AI Gateway logs alongside every call. Your usage stays attributable in our analytics + AIG's, but neither customers nor upstream providers can see each other.

Each tenant's wallet lives in a dedicated Cloudflare Durable Object — a single-threaded SQLite instance that only the qlaud edge can talk to. Atomic by construction; no two requests can race the same balance.

Wallet movements (debits + credits) are idempotent on a request id. A retried Stripe webhook, a network hiccup that double-fires a debit — both are caught at the DO ledger's primary-key constraint. Replaying an event ten times moves the balance once.

Stripe holds your card data, not us — Checkout runs on checkout.stripe.com. We receive a verified webhook on completion and credit the wallet.

Our edge logs the metadata needed to bill and debug: request id, model slug, provider, token counts, latency, status. We do not log prompt content or response bodies. Cloudflare AI Gateway also keeps its own logs of every upstream call — those include the raw request/response by default. You can disable that in your CF AIG dashboard if you don't want even Cloudflare to retain the bodies.

Edge access logs (status codes, IPs) live for 30 days in Cloudflare R2. Wallet ledger and usage events live in D1 indefinitely — you can request deletion under GDPR / CCPA from the dashboard.

The data plane is 100% Cloudflare Workers — no VPS, no Kubernetes, no long-running processes for an attacker to find. Cloudflare runs Workers in isolated V8 isolates with no shared filesystem, no shared memory, no per-tenant network stack to escape.

The control plane (dashboard) runs on the same Cloudflare account via OpenNext. Static + server routes; no Postgres, no Redis. The whole production surface is auditable in a single wrangler.toml.

Today: qlaud inherits the security posture of its dependencies — Cloudflare (SOC 2 Type II, ISO 27001), Clerk (SOC 2 Type II), Stripe (PCI DSS Level 1). Our own application code is auditable end-to-end on GitHub.

Targeting Q3 2026: SOC 2 Type II for the qlaud application itself.

If you need a DPA or BAA today: email security@qlaud.ai. We have templates ready for both.

Email security@qlaud.ai. PGP key on request. We acknowledge within 24 hours. Critical bugs land in production within 72 hours of confirmed reproduction.

We don't run a paid bounty yet — but we publicly credit researchers in this page's blog when fixes ship.