Security
Transport
- TLS 1.2 or higher is required. HTTP is not served.
- HSTS is enabled on all
*.datamingle.aihosts.
Authentication
- API keys are bearer credentials — anyone in possession of the string can act as you.
- Keys are only displayed once, at creation. They cannot be retrieved afterwards, only rotated.
- Keys can be scoped to a subset of resources and actions — see Scopes.
- Keys may carry an expiration. Requests after expiry are rejected with
401.
Recommendations for callers
- Store keys in a secret manager. Not in source, not in CI config files, not in environment files checked into git.
- Rotate annually at minimum. Rotate immediately on exposure.
- One key per environment and per service. Don't share a single key across staging, production, and a batch job.
- Allowlist outbound hosts if your integration runs in a locked-down network — the only host you need is
<your-tenant>.datamingle.ai.
Audit trail
Every inbound integration request is recorded with timestamp, method, path, raw body, mapped body, response, and the API key's name (not value). See Inspecting logs.
Authentication-layer events (rejected keys, expired keys, missing scopes) are recorded separately and visible under Security → API key activity in the dashboard.
Data handling
- In transit: TLS-terminated at the edge, TLS-only between platform services.
- At rest: Database and backups are encrypted with platform-managed keys.
- PII scope: The Datamingle API stores whatever you send (order customer info, metadata). Do not send credentials, payment card numbers, or health data — these are not the kind of data this platform is designed for.
- Retention: Integration log entries are retained for 90 days (raw + mapped payloads). Resource records follow your tenant's configured retention.
Reporting a vulnerability
If you discover a potential security issue, email the security contact listed in your service agreement. Do not file a public ticket. We follow responsible-disclosure practice and will acknowledge within one business day.