Skip to main content

Security | Rewind.ai

A plain rundown of how your data is encrypted, where it is stored and what we never do with it.

Encryption in Transit

Every connection between your browser and Rewind.ai runs over HTTPS with TLS 1.2 or newer, and the API calls to our GPU inference servers are protected the same way. HSTS is enforced so a session cannot be downgraded to an unencrypted one.

Your Data Is Not Used for Training

Your prompts, the results you get back and any files you upload are never fed into model training, unless you choose to opt in. What you put in stays yours.

PCI-Compliant Payments

Payments are handled by Stripe, a payment processor certified at PCI Level 1. Your card number, CVV and full card details never reach our servers.

Open-Source & Auditable Models

Every model we self-host is open-source under a permissive license (Apache 2.0 or MIT). The weights, the architecture and the training method are all published, so anyone can audit them independently.

No Data Selling

We do not sell your personal data, rent it out or hand it to any third party for advertising or marketing. No exceptions.

Infrastructure Security

Our servers sit on hardened VPS and cloud GPU machines. Access is by SSH key only with no password login, security patches apply on their own, and firewall rules keep traffic to the ports we actually use. Database backups are stored encrypted.

Have a security concern? Contact us.

FAQ

Yes. Traffic between your browser and Rewind.ai uses HTTPS over TLS 1.2 or newer, and the API calls to our GPU inference servers are encrypted the same way. HSTS is enforced to block downgrade attacks.

No. Your inputs, outputs and uploaded files are never used to train AI models unless you explicitly opt in. That holds for free, paid and enterprise accounts alike.

Stripe handles all payment processing and is certified at PCI Level 1. We never keep your card number, CVV or full card details on our servers. Stripe holds the sensitive payment data.

Yes. Every self-hosted model is open-source under a permissive license (Apache 2.0 or MIT). The weights, architecture and training method are published on HuggingFace and GitHub for anyone to review.

No. We do not sell, rent or share your personal data with third parties for advertising or marketing. This is a firm policy with no exceptions.

They use SSH key-only access with no password login, apply security updates automatically, restrict traffic to only the ports we need with firewall rules, and keep database backups encrypted. We follow standard security practices across all infrastructure.

Files you upload (images, audio, documents) are processed for the task you asked for and are not kept permanently. They are not used for training, shared with other users or sold to anyone.

We operate on GDPR principles: data minimization, purpose limitation and the right to deletion. Reach out if you need a Data Processing Agreement (DPA).

Yes. You can delete your account at any time from account settings, which removes your personal data, chat history and API keys. Deletion is permanent and runs immediately.

We watch for vulnerabilities continuously and patch them quickly. If you find a security issue, report it through the contact form. We take every report seriously and respond fast.

Yes. Two-factor authentication (2FA) is available on every account for an extra layer of protection. Enterprise accounts can require 2FA for all team members through their SSO provider.

API keys are hashed before they are stored and only ever sent over HTTPS. You can revoke and regenerate a key at any time from developer settings. We suggest rotating keys regularly and never sharing them publicly.

Love Rewind.ai? Tell your friends!

Rate this page