Skip to main content
ELI protects your workspace with encryption and carefully managed access controls, using your data only to provide the features and functionality you need. Here’s how we keep your information secure, and how you stay in control.

The credentials you connect

To measure your stack, ELI stores an admin API key or an OAuth token for each tool you connect. Because these credentials matter, we protect them accordingly:

Encrypted at rest

API keys you connect are stored as AES-256-GCM ciphertext. We never keep them in plaintext.

Never shown again

Once saved, a key is never returned to your browser or displayed back, not even to you.

OAuth where possible

For tools that support it, we use scoped OAuth tokens through a managed connector vault instead of long-lived keys.

Revoke anytime

Disconnect a tool and we stop using its credentials and remove them. Revocation takes effect immediately.
We request only the access needed to read your tools, seats, and spend, and we use those credentials solely for that, plus any management action you explicitly ask for.

What ELI can see — and can’t

Can read

  • Tool names, categories, and active status
  • Monthly spend and seat counts per tool
  • Active vs. inactive usage
  • Team members and tool assignments
  • Flagged tools — ghost, redundant, underused
  • Renewal dates and contract terms

Never accessible

  • Your stored connector keys (encrypted, never exposed — even to you)
  • Raw payment card numbers (held by Stripe, never by ELI)
  • Your passwords or login credentials
  • Data from any other workspace
  • Destructive tool actions without tool-management permission

Management actions

You stay in control. Beyond reading, ELI can run management actions on a connected tool — deactivate a departed member, change a role, reduce seats, or cancel a license — but only when you explicitly ask. Destructive actions are gated behind tool-management permissions, scoped to your workspace, and recorded in your activity log.

How your data is protected

In transit

All traffic runs over HTTPS (TLS 1.2+).

At rest

Data is encrypted at rest (AES-256); connector credentials are additionally sealed with AES-256-GCM.

Workspace-isolated

Every request is scoped to your workspace. A credential for one workspace can never read or act on another.

No model training

Your data is never used to train or fine-tune any AI model, internal or external.

Access tokens

AI clients connect through OAuth 2.0 or a Personal Access Token you generate in workspace settings. Personal Access Tokens are stored only as a hash (we can never recover the original), are scoped to your workspace, expire, and can be revoked instantly — revocation takes effect on the next request.
Treat a token like a password: don’t share it, don’t commit it to source control, and revoke it the moment you suspect it’s exposed.

Payments & cards

Card issuing and billing run through Stripe. Raw card numbers are held by Stripe and never touch ELI’s systems.

Compliance & data handling

ELI relies on a small set of vetted sub-processors for hosting, payments, AI, and analytics — we share the list on request. We retain your data for as long as your workspace is active and delete it on request or account closure: workspace data can be deleted from your settings, and we honor account-deletion requests. You can request access to or deletion of your data at any time. We’re actively working toward SOC 2 and ISO 27001.

Reporting a vulnerability

Found a security issue? Email security@techbible.ai. We investigate every report and will keep you updated on the fix.