> For the complete documentation index, see [llms.txt](https://shinkalabs.gitbook.io/hub/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://shinkalabs.gitbook.io/hub/andromeda/security/data-protection.md). # Data protection What Andromeda stores about you and your users, and how it is protected. ## What is stored * **API keys**: only a SHA-256 hash. The raw key is shown once at creation and never recoverable. * **Operational state**: quotas, the idempotency cache, webhook endpoint configuration, future-sign triggers, policy subscription records. * **Audit log**: a per-tenant hash chain of actions, with sanitised payloads. See below. * **Identity records** (only when the [identity layer](/hub/andromeda/concepts/identity.md) is enabled): identities, account links, email tokens. * **dWallet cache**: a cache of on-chain dWallet state for speed. The authoritative copy is on Solana. ## Identity data: encryption at rest When identity is enabled, the sensitive fields, identity records, account-link records, and email-token rows, are wrapped with AES-256-GCM before being written to the database. A database dump is therefore not directly a PII dump. {% hint style="warning" %} This hardening is in progress during pre-alpha. Do not assume a database leak is fully PII-safe yet. See [Known limitations](/hub/andromeda/reference/limitations.md). {% endhint %} ## Audit log sanitisation Before an audit entry is written, its payload is reduced to an allowlist of keys, and string values are clamped to a bounded length. The log never contains secrets, raw signatures, or unbounded user data. Audit writes never block a user-facing flow; if a write fails, the flow still completes. ## Anti-enumeration `POST /v1/identity/email/request` always returns `200 OK`, regardless of whether the address is known, rate-limited, or the mail transport failed. The endpoint cannot be used to discover which emails have accounts. Failures are logged server-side with a trace id; the client only ever sees success. ## Single-use tokens Email magic links, OAuth state values, passkey challenges, and refresh tokens are consumed atomically (an update or delete gated on "not yet consumed"). Two concurrent verifications of the same token cannot both succeed. ## Error handling Error responses are sanitised: no stack traces, no internal detail, no PII. See [Error codes](/hub/andromeda/api-reference/errors.md). Logs that do contain detail stay server-side; what reaches the client is a stable code, a safe message, and a request id. ## GDPR When identity is enabled, a user can export (`GET /me/export`) or delete (`DELETE /me`) their identifiable data. The on-chain dWallet is not deleted by this, and that limitation is stated to the user. See [Your data (GDPR)](/hub/andromeda/guides/gdpr.md). ## Secrets Andromeda does not embed secrets in source or responses. The keys it signs with live in a KMS; see [Key management](/hub/andromeda/security/key-management.md). If you ever see something that looks like a leaked secret in an API response, report it; see [Responsible disclosure](/hub/andromeda/security/disclosure.md). --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://shinkalabs.gitbook.io/hub/andromeda/security/data-protection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.