Security, Availability, Compliance & Scalability.

Every API request is authenticated. Machine clients (the piqc scanner and cluster agents) use cluster-scoped API keys generated as cryptographically random values, transmitted once at issuance, and stored only as SHA-256 hashes. Human operators authenticate via email and bcrypt-hashed password and receive a short-lived session token (stored as a SHA-256 hash). Three roles are enforced at the framework level: viewer, operator, and admin. A cluster key authenticates only against its own cluster's endpoints — cross-cluster access returns HTTP 403 by construction. All key lifecycle events and operator actions are recorded in a tamper-evident audit log with the authenticated user's email as the actor. All external communication is over TLS. Bandit SAST scanning and pip-audit dependency auditing run on every CI build. Report vulnerabilities to security@paralleliq.ai.

Paralleliq targets 99.9% monthly uptime for the platform API. The API gateway is stateless and horizontally scalable — it can be restarted or replicated without data loss. All persistent state lives in PostgreSQL. Long-running operations are executed by Temporal, which provides durable execution guarantees: if a workflow worker restarts mid-execution, Temporal replays from the last checkpoint. Paralleliq is an optimization layer, not a data plane — your GPU workloads run independently of whether the Paralleliq API is reachable. A brief outage means you temporarily lose visibility and recommendations; your clusters do not stop processing.

Paralleliq is preparing for SOC 2 Type II certification. The platform collects only what it needs to operate: cluster metadata, GPU fleet facts (hardware configuration and utilization metrics), and audit events. No model weights, training data, inference inputs, or outputs are ever transmitted to Paralleliq. Personally identifiable information is limited to the contact email used to reach Paralleliq and is not stored in the platform database. Audit log records are retained for a minimum of 12 months. Customers with data residency requirements outside US-East should discuss this before signing.

Paralleliq is designed to manage GPU fleets from tens of GPUs to several thousand. The API gateway is stateless and scales horizontally. Long-running operations scale independently via Temporal workflow workers. A single Paralleliq deployment can manage multiple independent clusters across providers and regions, each with its own scoped API key and independent fact ingestion stream. There is no hard ceiling enforced at the API layer — very large fleets should be discussed during onboarding so the appropriate deployment topology can be selected.

Customers conducting a security review or vendor assessment are welcome to contact security@paralleliq.ai. We complete security questionnaires, provide architecture walkthroughs, and sign mutual NDAs before sharing implementation detail beyond what is covered here. To report a vulnerability, email security@paralleliq.ai directly — please do not open public GitHub issues for security matters.