DAIRX is a GPU compute aggregation platform. We route your workloads to infrastructure operated by third-party GPU cloud providers. We do not operate data centers or physical hardware. Our security responsibility centers on protecting your account, payment data, provider credentials, and SSH keys — everything that passes through our platform between you and the underlying compute.
Account authentication is handled by Clerk, a dedicated identity provider. Clerk manages session tokens, multi-factor authentication, password hashing, and brute-force protection. We do not store passwords or raw authentication credentials in our database.
All authentication traffic is encrypted in transit via TLS 1.2+. Session tokens are short-lived and rotated automatically. Clerk maintains SOC 2 Type II compliance for their authentication infrastructure.
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Credit card numbers never touch our servers. All billing data is tokenized by Stripe and stored in their PCI-compliant vault.
We store only Stripe customer and subscription identifiers in our database — no raw card numbers, CVVs, or billing addresses.
SSH keys are used to access GPU instances provisioned through DAIRX. Private keys are encrypted at rest using AES-256-GCM before storage. The encryption key is derived from environment secrets that are not stored alongside the encrypted data.
When you provision an instance, the SSH key is decrypted in memory only for the duration needed to establish the connection or configure the instance. Keys are never logged, never included in error reports, and never transmitted to third parties.
DAIRX integrates with multiple GPU cloud providers. API credentials for each provider are stored as encrypted environment variables, isolated per deployment. Provider credentials are never exposed to the client, never included in API responses, and never shared between users.
Each provider integration uses the minimum required API permissions. We do not request or store administrative access to provider accounts beyond what is needed to provision, monitor, and terminate instances on your behalf.
The DAIRX platform is hosted on Vercel with Cloudflare for DNS, DDoS protection, and edge caching. All traffic is served over HTTPS. HTTP Strict Transport Security (HSTS) headers are enforced across all routes.
Content Security Policy (CSP) headers restrict which scripts, styles, and external resources can execute in the browser — mitigating cross-site scripting (XSS) and code injection attacks. Additional protections include X-Frame-Options to prevent clickjacking, X-Content-Type-Options to block MIME-type sniffing, and a strict Referrer-Policy.
Object storage for file uploads and checkpoints uses Cloudflare R2, which provides S3-compatible storage with zero egress fees. Access to R2 buckets is restricted to server-side API routes with scoped credentials.
DAIRX does not access, read, or store the contents of your GPU instances. We provision and manage the lifecycle of instances — we do not inspect what runs on them. Your training data, models, and outputs remain entirely under your control on the provider's infrastructure.
Platform data (account information, instance metadata, billing records) is stored in a PostgreSQL database hosted by Neon with encryption at rest and in transit. Database access is restricted to server-side API routes and is not exposed publicly.
Application errors are tracked using Sentry. Error reports are scrubbed of sensitive data before transmission. SSH keys, API tokens, passwords, and payment information are excluded from error payloads via configured data scrubbing rules.
If you discover a security vulnerability in the DAIRX platform, please report it to hello@dairx.com. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had an opportunity to investigate and address them.