Security & Data Handling

Last updated: April 2026

LogCast processes log files that may contain sensitive information. This page explains how we protect your data, what our automated redaction engine detects, and what steps you should take before uploading logs.

How Log Analysis Works

1. You upload a log file to your private, encrypted storage bucket.
2. Our injection detector scans the file for prompt injection patterns that could manipulate the AI system.
3. Our redaction engine scans the entire file and replaces detected sensitive data with [REDACTED:TYPE] markers.
4. Only the redacted version is sent to the AI provider. Your original file is never sent to any AI service.
5. The AI analysis is streamed back to you and saved to your account.

What We Automatically Redact

Our redaction engine detects and replaces the following categories of sensitive data:

API Keys & Authentication Tokens

• AWS access keys (AKIA...)
• AWS secret keys
• Anthropic API keys (sk-ant-...)
• OpenAI API keys (sk-...)
• Stripe API keys (sk_test_/sk_live_/rk_...)
• GitHub personal access tokens (ghp_/gho_/ghu_/ghs_/ghr_...)
• Generic API key patterns in configuration-style lines (api_key=..., secret_key=...)
• Bearer tokens in authorisation headers
• JSON Web Tokens (JWTs)

Private Keys

• RSA private keys
• EC (elliptic curve) private keys
• DSA private keys
• OpenSSH private keys

Financial Data

• Credit card numbers (Visa, Mastercard, Amex, Discover, JCB — validated with Luhn algorithm)
• IBAN bank account numbers
• US bank routing numbers

Personal Identifiable Information (PII)

• Email addresses
• Phone numbers (US format)
• Social Security Numbers (US SSN format, with area code validation)
• IPv4 addresses
• IPv6 addresses

Credentials

• Passwords embedded in URLs (://user:password@host)
• Password fields in configuration-style lines (password=..., secret=...)

What We Might Miss

Automated pattern matching has inherent limitations. Our redaction engine may not detect:

• Custom or proprietary key formats not matching known patterns
• Sensitive data in non-standard encodings (ROT13, custom encryption, etc.)
• Domain-specific identifiers (patient IDs, internal employee numbers, etc.)
• Personally identifiable information in non-US formats (non-US phone numbers, national IDs from other countries)
• Sensitive data split across multiple log lines
• API keys or tokens from lesser-known services
• Natural language containing personal details (e.g., “User John Smith logged in from London”)
• Base64-encoded content that doesn't match known injection patterns

How to Sanitise Your Logs Before Upload

We strongly recommend the following steps before uploading log files:

1. Remove credentials: Strip API keys, passwords, tokens, and secrets from your logs. Most logging frameworks support filtering sensitive fields.
2. Mask PII: Replace email addresses, phone numbers, names, and other personal data with placeholders.
3. Use staging/test data where possible: Prefer logs from non-production environments that don't contain real user data.
4. Review before upload: Do a quick search for common patterns like “password”, “secret”, “token”, “key” in your log file.
5. Strip IP addresses: If your logs contain user IP addresses, consider anonymising or removing them.

Encryption & Storage

• In transit: All data is transmitted over TLS (HTTPS).
• At rest: Your uploaded files and analysis results are stored in encrypted storage provided by Supabase.
• Access control: Row Level Security (RLS) policies ensure you can only access your own data. No other user can see your files or analyses.
• BYOK encryption: If you bring your own LLM API keys, they are encrypted using AES-256-GCM with per-user derived keys. The encryption master key is stored separately from the database.

Reporting Security Issues

If you discover a security vulnerability or have concerns about data handling, please contact us immediately at security@nonatomic.io. We take all reports seriously and will respond promptly.