Andsent

Security at Andsent

Last updated 14 July 2026

Andsent holds spend, budget and usage data: commercially sensitive by definition. The platform is built so that the least possible data is collected, everything sensitive is encrypted, and every tenant is isolated from every other.

What we hold, and what we never hold

We hold aggregated usage and cost facts (tokens, requests, spend per day per resource), your budget ledger, team structure, and member names and work emails. We never hold prompt or completion content: the provider admin APIs we sync from do not expose it and we do not ask for it. Budgets are envelopes, not surveillance.

Encryption

Provider admin keys are encrypted at rest with AES-256-GCM under a dedicated data key held outside the database; only a non-reversible fingerprint is ever shown in the interface, and keys are decrypted only at sync time. All traffic is TLS with HSTS. Passwords are hashed with scrypt and per-user salts; comparisons are constant-time. Sessions are HMAC-SHA256-signed, httpOnly, secure cookies.

Tenant isolation

Every query in the application is scoped by tenant id at the data layer; budget movements go through a double-entry ledger whose entries are append-only and sum to zero, so history cannot be silently rewritten. Worked demo examples live in a dedicated demo workspace and never appear in customer workspaces.

Access, audit and abuse controls

Role-based access separates admins, budget holders and members. Administrative actions (funding, reallocation, approvals, policy changes, credential changes, sign-ins) are written to a per-tenant audit log. Registration and sign-in are rate-limited per address.

Least-privilege connections

Connections use read-only admin keys with the narrowest scopes the provider offers, used exclusively to sync your own organisation's usage. Revoking the key at the provider kills our access instantly; you can also revoke the stored credential from the Connections page, which deletes the ciphertext.

Infrastructure and durability

The service runs on Google Cloud with continuous, encrypted replication of the datastore. Deploys go through an automated gate (tests, typecheck, end-to-end checks) and roll out as zero-traffic candidates that must pass health checks before serving, with automatic rollback.

Your model data

Optional AI-written summaries (the overview briefing) send only the aggregate figures already on your screen, never credentials, member emails or raw records, and only when you configure a key for it. We do not train models on your data.

Disclosure

Found a vulnerability? Email security@andsent.com and we will respond within two working days. Please do not test against workspaces you do not own.