Security & Privacy

Voxel is designed from the ground up to handle sensitive neural data responsibly.

Project Isolation

Every project is a hard boundary. API keys are scoped to individual projects. Data cannot leak across project boundaries.

Audit Logging

Every mutation — key creation, revocation, session lifecycle events — is recorded in an immutable audit log with actor attribution.

Data Deletion

Hard-delete APIs remove all sessions, raw samples, and computed features for a given user. Deletions are themselves audit-logged.

Security checklist

Project-scoped API keys
SHA-256 key hashing (raw keys never stored)
Immutable audit logs
Hard deletion APIs (GDPR-ready)
Rate limiting per API key
JWT authentication with configurable expiry
CORS configuration
Batch-level idempotency
Encryption at rest (planned)
SOC 2 Type II (planned)
HIPAA BAA (planned)

API Key Security

Raw API keys are displayed exactly once at creation time and are never stored. Voxel persists only the SHA-256 hash of each key, along with a short prefix for identification purposes. Keys are scoped to individual projects and can be revoked instantly, immediately invalidating all requests using that key.

Rate Limiting

Every API key is rate-limited to 60 requests per minute with a burst allowance of 120 requests. This protects your infrastructure from accidental floods and deliberate abuse while providing enough headroom for normal operation.

Infrastructure

In self-hosted mode, you control all data. Voxel runs entirely within your own infrastructure — no telemetry, no external calls, no data leaving your network. You own the database, the compute, and every byte of neural data your users generate.

Compliance Roadmap

GDPR Compliant

Hard deletion APIs, audit logging, and data processing agreements available. EU data residency coming Q2 2026.

SOC 2 Type II — Q2 2026

Third-party audit in progress. Security controls, monitoring, and incident response procedures already in place.

HIPAA BAA — Q3 2026

Encryption at rest, PHI access controls, and Business Associate Agreements for covered entities. Contact security@voxel.dev for early access.

Voxel is developer infrastructure for research and experimentation. It is not certified as a medical device and should not be used for clinical diagnosis. Compliance certifications listed as “planned” are on our roadmap but not yet achieved.