Security & Privacy

Your data never touches our servers. Here's exactly how it works.

Bring Your Own Key (BYOK)

W uses a BYOK architecture. You provide your own OpenAI or Anthropic API key. When you run a workflow, your input is sent directly to the AI provider using your key. We orchestrate the request — we don't store it.

1.You fill workflow inputs in your browser

2.Your inputs + your API key are sent to our server

3.Our server calls OpenAI/Anthropic directly with your key

4.AI response is returned to your browser

5.Nothing is stored. Request complete.

What we store

Your API key

Stored encrypted in our database (Supabase). Used only when you trigger a workflow. You can delete it anytime from Settings.

Usage metadata

We track: which workflow you ran, when, and token count (for rate limiting). We do NOT store your inputs or outputs.

Account info

Email address (from Google OAuth), subscription tier, and integration settings (Telegram bot token, Slack webhook URL, etc.).

What we never store

Your workflow inputs (the text, data, or context you provide)
AI-generated outputs (the results of your workflows)
File contents (if you upload files for processing)
Meeting transcripts, emails, or any personal content

API key security

Your API key is encrypted before storage and decrypted only at the moment of use.
Keys are never exposed in API responses, logs, or client-side code.
You can revoke and re-add your key at any time from Settings.
We recommend using a dedicated API key for W with usage limits set on your OpenAI/Anthropic dashboard.

Infrastructure

Database: Supabase (PostgreSQL) with encrypted storage.
Authentication: Google OAuth via NextAuth.js. No passwords stored.
Hosting: Vercel with automatic HTTPS/TLS encryption.
Payments: Razorpay handles all payment data. We never see your card details.
Integration webhooks: Telegram and Discord signatures are verified using Ed25519 cryptography before processing.

Questions about security? Email us at support@devloytech.in