prxy.monster / security
Security
prxy.monster is an LLM gateway. The important boundary is simple: API-key users bring their own provider key, and provider inference is billed directly by that provider. Managed MPP calls are separate and include the upstream call in the payment price.
Data handling
| Question | Answer |
|---|---|
| Do you store prompts? | Only when an enabled module needs retained state, such as context preservation, pattern extraction, or cache entries. Disable those modules to avoid retaining that data in prxy storage. |
| Do you store completions? | Cache modules can store response payloads for replay. Usage records store token/count/cost metadata, not full completions. |
| Do you train on data? | No. prxy.monster does not train foundation models on customer prompts or completions. |
| Where are provider keys stored? | Registered BYOK provider keys are encrypted with AES-256-GCM and are never returned in plaintext after registration. You can also pass provider keys per request where supported. |
| Can caching be disabled? | Yes. Remove `exact-cache`, `semantic-cache`, and `tool-cache` from the pipeline. |
| Can pattern learning be disabled? | Yes. Remove `patterns` from the pipeline. |
| What happens in local mode? | State lives in your local volume. There is no hosted billing, no cloud sync, and no prxy telemetry. Provider calls still leave your machine to the provider you configure. |
Responsible disclosure
Report security issues to [email protected]. See security.txt.
Last updated: 2026-05-03