> ## Documentation Index
> Fetch the complete documentation index at: https://eli.work/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How ELI keeps your information secure — and how you stay in control.

ELI protects your workspace with encryption and carefully managed access
controls, using your data only to provide the features and functionality you
need. Here's how we keep your information secure, and how you stay in control.

## The credentials you connect

To measure your stack, ELI stores an admin API key or an OAuth token for each
tool you connect. Because these credentials matter, we protect them accordingly:

<CardGroup cols={2}>
  <Card title="Encrypted at rest">
    API keys you connect are stored as AES-256-GCM ciphertext. We never keep them
    in plaintext.
  </Card>

  <Card title="Never shown again">
    Once saved, a key is never returned to your browser or displayed back, not
    even to you.
  </Card>

  <Card title="OAuth where possible">
    For tools that support it, we use scoped OAuth tokens through a managed
    connector vault instead of long-lived keys.
  </Card>

  <Card title="Revoke anytime">
    Disconnect a tool and we stop using its credentials and remove them.
    Revocation takes effect immediately.
  </Card>
</CardGroup>

We request only the access needed to read your tools, seats, and spend, and we
use those credentials solely for that, plus any management action you explicitly
ask for.

## What ELI can see — and can't

<Columns cols={2}>
  <Card title="Can read" icon="circle-check">
    * Tool names, categories, and active status
    * Monthly spend and seat counts per tool
    * Active vs. inactive usage
    * Team members and tool assignments
    * Flagged tools — ghost, redundant, underused
    * Renewal dates and contract terms
  </Card>

  <Card title="Never accessible" icon="circle-xmark">
    * Your stored connector keys (encrypted, never exposed — even to you)
    * Raw payment card numbers (held by Stripe, never by ELI)
    * Your passwords or login credentials
    * Data from any other workspace
    * Destructive tool actions without tool-management permission
  </Card>
</Columns>

## Management actions

**You stay in control.** Beyond reading, ELI can run management actions on a
connected tool — deactivate a departed member, change a role, reduce seats, or
cancel a license — but only when you explicitly ask. Destructive actions are
gated behind tool-management permissions, scoped to your workspace, and recorded
in your activity log.

## How your data is protected

<CardGroup cols={2}>
  <Card title="In transit">
    All traffic runs over HTTPS (TLS 1.2+).
  </Card>

  <Card title="At rest">
    Data is encrypted at rest (AES-256); connector credentials are additionally
    sealed with AES-256-GCM.
  </Card>

  <Card title="Workspace-isolated">
    Every request is scoped to your workspace. A credential for one workspace can
    never read or act on another.
  </Card>

  <Card title="No model training">
    Your data is never used to train or fine-tune any AI model, internal or
    external.
  </Card>
</CardGroup>

## Access tokens

AI clients connect through OAuth 2.0 or a Personal Access Token you generate in
workspace settings. Personal Access Tokens are **stored only as a hash** (we can
never recover the original), are scoped to your workspace, expire, and can be
revoked instantly — revocation takes effect on the next request.

<Warning>
  Treat a token like a password: don't share it, don't commit it to source
  control, and revoke it the moment you suspect it's exposed.
</Warning>

## Payments & cards

Card issuing and billing run through Stripe. Raw card numbers are held by Stripe
and never touch ELI's systems.

## Compliance & data handling

ELI relies on a small set of vetted sub-processors for hosting, payments, AI, and
analytics — we share the list on request.

We retain your data for as long as your workspace is active and delete it on
request or account closure: workspace data can be deleted from your settings, and
we honor account-deletion requests. You can request access to or deletion of your
data at any time. We're actively working toward SOC 2 and ISO 27001.

## Reporting a vulnerability

Found a security issue? Email [security@techbible.ai](mailto:security@techbible.ai).
We investigate every report and will keep you updated on the fix.
