Security

BazaarLink is built around Taiwan-local compliance and data protection, helping enterprises access the world's AI models with confidence. This page explains how we handle data residency, encryption, access control, and operational security.

Core Commitments

Data resides in Japan — not mainland China, not the US

Your data is processed and stored in the Tokyo, Japan region, hosted on cloud platforms certified to ISO 27001 and SOC 2. Data does not transit mainland China and does not land on US soil — balancing data sovereignty with world-class infrastructure security.

Successful relay requests do not persist full conversation content

For ordinary successful relay requests, BazaarLink does not store full prompts or model responses as product data. We primarily retain usage metadata required for billing and operations (timestamp, model, token count, cost, latency). For troubleshooting and abuse investigation, error paths may store truncated request summaries or upstream error bodies.

Upstream model providers, public probes, model tests, and image/video generation features have their own data-handling boundaries; the full documentation controls those details.

Security Measures

Encryption everywhere

Site-wide enforced HTTPS/HSTS in transit and encryption at rest; customer API keys are stored as one-way SHA-256 hashes (non-reversible), login passwords hashed with bcrypt.

Access control & org isolation

Least-privilege access; only authorized internal staff reach the back office. Enterprise customers grant access by role (admin / billing viewer / team manager / member); each organization's data is strictly isolated.

Audit & monitoring

Key operations — login, quota changes, key changes — leave audit trails (actor, time, source IP); system anomalies are monitored in real time for internal operations only.

Abuse & overspend protection

Request rate limiting, per-minute/per-hour spend circuit breakers, provider circuit breaking, and anomalous IP/domain blocking prevent abuse and unexpected overspend.

Incident notification

We maintain an incident-response process: detect → contain & remediate → notify. After confirming a major incident affecting customer data, we promptly notify affected customers by email within the timeframe required by Taiwan's Personal Data Protection Act, describing the scope and our response; the binding notification terms are set out in our Privacy Policy.

Availability (honest disclosure)

This is an AI model relay service with multi-provider routing and failover. Model inference is ultimately executed by upstream official APIs, whose availability BazaarLink cannot unilaterally guarantee. If a paid plan or enterprise contract includes a specific SLA, that agreement controls; this public page does not create a general SLA, RTO, or RPO commitment.

Need the full Information Security Overview?

We can provide the full Information Security Overview, a Data Processing Agreement (DPA), and an NDA to support your procurement and compliance review.

[email protected]