Security and trust
Updated July 14, 2026
Corent routes AI media generation, which means customers trust us with prompts, outputs, and money. This page explains how that trust is protected, in plain language, and what we do and do not promise.
Architecture in one paragraph
Your request arrives over HTTPS, is screened by our content filter, routed to a model provider, and the output is copied into our own storage so you get a stable URL. We are a thin, stateless routing layer: no GPUs of our own, no card numbers on our servers, and every infrastructure layer is a managed platform with its own security team.
Practices
- All traffic is encrypted in transit (TLS); data is encrypted at rest by our storage providers.
- API keys are 256-bit random values, stored only as hashes, revocable instantly, and shown once.
- Every new API key starts with a $10/day spend cap; you control per-key rate and spend limits.
- Payment webhooks are signature-verified; billing is idempotent, so retries cannot double-charge.
- Failed generations are never billed, and every charge is auditable per request via receipts.
- Prompts are screened before reaching any provider; abuse is enforced across all endpoints.
- We do not use your prompts or outputs to train AI models.
What we inherit from our platforms
Our infrastructure runs on platforms that maintain their own audited certifications: Supabase (SOC 2 Type II), Fly.io (SOC 2 Type II), Vercel (SOC 2), and Stripe (PCI DSS Level 1). Corent itself is an early-stage company and does not yet hold its own SOC 2; we say so plainly rather than imply otherwise. If your procurement process needs specific documentation, email hello@corent.tech.
Subprocessors
Third parties that may process customer data, and why:
| Provider | Purpose | Location |
|---|---|---|
| fal | AI model inference (image and video generation) | United States |
| Anthropic | Natural-language request planning (/v1/intent) | United States |
| Supabase | Database, authentication, and media storage | United States |
| Fly.io | API hosting | United States |
| Vercel | Website and dashboard hosting | United States |
| Resend | Transactional email | United States |
| Stripe | Card payments | United States |
| NOWPayments | Cryptocurrency payments | European Union |
The model provider list will grow as we add routing sources; this page is the canonical list and is updated before new subprocessors handle customer data.
Honest limits
We publish live status and reliability data instead of an uptime SLA. Generated media URLs are served from our storage; treat them as public links and do not embed secrets in prompts. Data residency today is United States by default; if you have in-region requirements, talk to us before relying on the service for that use.
Reporting
Security issues: security@corent.tech. Abuse or illegal content: abuse@corent.tech. We respond to security reports within 48 hours.
