Skip to main content

Production Endpoints

ServiceURL
APIhttps://api.imarobot.ai
Developer Portalhttps://app.imarobot.ai
Docshttps://docs.imarobot.ai

Technology Stack

API

  • Runtime: Node.js 20 / Express
  • Hosting: Railway — US region
  • Authentication: Bearer token (sk_live_ / sk_test_ / pk_live_), keys stored as SHA-256 hashes — plaintext never persisted
  • Rate limiting: Sliding window per API key and IP, tiered by plan
  • Versioning: All endpoints versioned under /v1/

Developer Portal

  • Framework: React + TypeScript, built with Vite
  • Hosting: Railway — US region
  • Auth: Clerk — SOC 2 Type II certified

Database

  • Provider: Supabase — PostgreSQL
  • Security: Row Level Security (RLS) enforced on all tables — every query is scoped to the requesting organization
  • Region: US East

DNS & CDN

  • Provider: Cloudflare — DNS, CDN, DDoS protection, TLS termination

Sub-Processors

ImaRobot uses the following third-party sub-processors to deliver the service:
ProviderPurposeData processed
RailwayAPI & portal hostingCode, logs, environment variables
SupabaseDatabaseOrganizations, users, agents, API keys, verification logs
ClerkUser authenticationUser identities, sessions
StripeBilling & paymentsPayment methods, subscription data
ResendTransactional emailEmail addresses, send history
CloudflareCDN & DNSRequest logs (transient, not persisted)
SentryError trackingStack traces, request context (no PII)
PostHogProduct analyticsUsage events, pageviews (anonymized)

Data Retention

Log retention is determined by your plan:
PlanMonthly verifications includedVerification log retention
Free50030 days
Builder5,00030 days
Developer25,00090 days
Growth100,0001 year
EnterpriseCustomCustom (negotiated)
You can request deletion of your data at any time by contacting privacy@imarobot.ai.

Security Practices

  • API keys — stored as SHA-256 hashes; the full key is shown once at creation and never again
  • Agent tokens — signed JWTs using RS256 with rotating key pairs
  • TLS — all traffic encrypted in transit via Cloudflare (TLS 1.2+)
  • RLS — database-level row isolation by organization; cross-tenant data access is structurally impossible
  • Rate limiting — all endpoints rate-limited by plan tier; no single key can exhaust shared resources

Roadmap

  • SOC 2 Type I — targeted Q3 2026
  • Biometric-bound approval flows — targeted Q3 2026

GDPR & Privacy

ImaRobot is GDPR-compliant. EU customers can:
  • Access their data — email privacy@imarobot.ai
  • Delete their data — we’ll process deletion within 30 days
  • Export their data — available on request
  • Object to processing — contact us and we’ll respond within 72 hours
A Data Processing Agreement (DPA) is available for Growth and Enterprise customers. Contact privacy@imarobot.ai to request one.

Questions?

Security questions or vulnerability reports: privacy@imarobot.ai