Security & Trust
Security · Trust · Disclosure

How we protect your
data & your fine-tunes.

ModelBrew is built by a small founding team, with the discipline of a much larger company. TLS 1.2+ everywhere. AES-256 at rest. Sub-hour dataset retention. We never train on your data. Found a security issue? Email us — we acknowledge within 5 business days, with safe-harbor protection for good-faith research.

Last reviewed: 2026-05-07 Disclosure contact: modelbrewai@gmail.com Changelog: section 0

What we shipped in the last two weeks.

We treat security as a release train, not a brochure. Below is the dated list of security-relevant commits that landed in Wave 5 and Wave 6 K (2026-04-23 → 2026-05-07). Every item links to a public commit SHA in this repo, with a one-line description of what it defends against. If we ship a fix that warrants a public note, it will appear here first.

W5 S1.1commit 89e3cc5

Cleaner LLM-judge prompt-injection harden

NFKC normalization, zero-width strip, role-flip detection, per-call random nonce fence, and a red-team fixture library that runs in CI on every change so the patches keep defeating the original payloads.

W5 S1.2 + S2 RT-2commits 265aed0, 2528708

Chat-template token strip

Stripped by default from every uploaded row across Qwen3 <think>, Llama-3 <|eom_id|>, Phi-4 <|im_sep|>, Mistral, and Gemma. Defends against tokenizer-token poisoning (ChatInject, arXiv 2509.22830).

W5 S1.3 + audit-fixcommits 75f579a, 2a99c19

Atomic per-user daily AI cost cap

Single SQL transaction enforces the soft daily ceiling across all five user-triggerable LLM-spending routes — judge, rewrite, polarity, preference-pair, scoring — so a runaway script cannot rack up a five-figure third-party bill before we notice.

W5 S1.4 + audit-fixcommits 2f63d07, 5b3ba58

IDOR existence-oracle defense

403 → 404 across /status, /start_cl_task, and 5 sibling endpoints, with response-time symmetry so an unauthenticated probe cannot distinguish "exists but not yours" from "doesn't exist."

W5 S1.7 + audit-fixcommits 6d8dcf4, 06ff906

Modal upload MIME / magic-byte validation

Rejects ZIP, PE, HTML, PDF, RAR, 7z magic bytes posing as CSV or JSONL, and runs a json.loads probe on the first JSONL line before the row stream begins.

W5 S2.2commit cf6780c

_billing_log correlation_id end-to-end

Every billing event — Stripe webhook → add_credits_auto_refund — is now traceable through a single correlation ID, so a refund or a duplicate webhook can be reconstructed deterministically from the audit log.

W5 S2.1commit 6b92b25

Public /security trust page

This page. Retention numbers cited to the code that enforces them; vulnerability disclosure with safe-harbor language; reviewable in version control.

W5 S2.32026-05-07 (DNS-verified)

Reporting channel live

Email modelbrewai@gmail.com for vulnerability disclosure. 5-business-day acknowledgement, 10-business-day initial assessment, safe harbor for good-faith research — details in section 6.

W6 K2commit c694e04

18 silent-corruption red-team tests

Adversarial matrix covering tokenizer-poisoning, lookalike-character spoofing, fix-order bypass, role spoofing, and mojibake against the cleaner pipeline. Runs in CI on every change.

W6 K1commit 42ecffd

Foundation-invariant property tests

Determinism + monotonicity + revert-on-degrade enforced by property tests. The cleaner cannot produce a row whose post-clean score is lower than its pre-clean score — by construction.

The full deployment posture — what runs on our cloud, what you can take home (the LoRA + CRMA adapter ZIP via GET /download/{run_id}), and what is honestly not built yet (on-prem, VPC peering, SOC 2 Type II) — lives on /deployment.

TLS 1.2+ everywhere.

All traffic to modelbrew.ai, app.modelbrew.ai, and the API at fourwheels2512--crma-finetune-fastapi-app.modal.run is served over TLS 1.2 or higher, terminated by Cloudflare (marketing & app) and Modal (API). HTTP requests are redirected to HTTPS, and the API sets HSTS with a long max-age so browsers refuse the plaintext fallback after the first visit.

Every API response carries a baseline of strict security headers: Strict-Transport-Security, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a strict Referrer-Policy, and a tight Permissions-Policy.

We do not train on your data.

No-train pledge

Datasets you upload for cleaning, fine-tuning, preference tuning, or continual learning are used only to run your own job. We do not use customer data to train, evaluate, or improve any base model, any of our own adapters, or any third-party model. We do not sell or share datasets. Your fine-tuned weights belong to you.

When the cleaner uses an LLM-as-judge step (Anthropic Claude or Google Gemini) to score or rewrite a row, we send only that single row to the upstream API and discard the response after applying it. We do not opt into any provider feature that retains prompts or completions for training. Your dataset is never aggregated into a corpus for our own model work.

Short retention by default. Account data sticks until you delete it.

Concrete numbers, matched to what the code actually enforces today:

Uploaded dataset files
Local copy: 1 hour · Training-infra copy: 7 days API-host upload artifacts are swept hourly; the copy on training infrastructure is removed with the run on the 7-day cleanup cron.
Model checkpoints (training infra)
Deleted within 7 days Adapter weights you choose to keep are exportable from the app before the sweep runs.
Account & billing records
Lifetime of your account Stripe holds card data; we hold credit balance + redacted billing events for financial records.
Session & idempotency keys
Auto-purged daily Stale auth refresh records and idempotency keys are swept by the same background loop.

Account deletion: email modelbrewai@gmail.com from the address on file. We confirm and remove account + billing rows; uploaded data is removed on the retention schedule above. See the Privacy Policy for GDPR / CCPA rights detail.

AES-256 on storage. Stripe holds card data. Turso replicas are encrypted.

  • Training infrastructure (Modal): volumes encrypted at rest with AES-256.
  • Database (Turso): primary + replicas are encrypted at rest by the provider; connections are TLS-only.
  • Payments (Stripe): we never see, store, or log full card numbers, CVCs, or expiry dates. Stripe is PCI DSS Level 1 and holds all card data.
  • Passwords: stored only as bcrypt hashes — we cannot recover or display your password.
  • API tokens: JWT access tokens with 8-hour expiry; refresh tokens are rotated; API keys are stored hashed and shown to you only at creation.

Adversarial-tested cleaner pipeline.

The dataset cleaner sits in front of every fine-tuning, preference-tuning, and continual-learning job. We treat its inputs as adversarial and test it accordingly:

  • Judge prompt-injection hardening. User-supplied row content is wrapped in delimiter fences with per-call random nonces, and literal control markers (OUTPUT:, <<INSTRUCTION>>, etc.) are pre-stripped before being passed to the judge or rewriter. A red-team fixture library runs in CI on every change to confirm the patches still defeat the payloads that originally bypassed them.
  • Chat-template token autofix. Special model tokens (<|im_start|>, [INST], <|begin_of_text|>, <bos>, </s>, <|endoftext|>) are stripped by default from every uploaded row, so a poisoned dataset cannot teach a fine-tune to break out of its assistant role at inference.
  • Per-user daily cleaner-AI cost cap. A soft daily ceiling (default $50) limits the per-account spend on judge / rewrite / polarity / preference-pair LLM calls, so a runaway script cannot rack up a five-figure third-party bill before we notice.
  • Score-floor + revert-on-degrade. The cleaner refuses to ship a row whose post-clean quality score is lower than its pre-clean score. If the rewrite would degrade the row, the original is kept.

Found a security issue? Tell us — safe harbor included.

We welcome reports from independent security researchers, customers, and curious users. If you believe you've found a vulnerability in any ModelBrew system, please email us before disclosing publicly so we can investigate and ship a fix.

Reporting channel

Email modelbrewai@gmail.com with steps to reproduce, the affected URL or endpoint, and your contact details.

What you can expect from us

  • Acknowledgement within 5 business days that we received your report.
  • An initial assessment (severity, scope, our planned next steps) within 10 business days.
  • Status updates while we work on a fix, and a notice when it ships.
  • Public credit in our changelog / security notes if you want it (and only if you want it).

Safe harbor for good-faith research

We will not pursue legal action against you, or ask law enforcement to investigate you, for security research conducted in good faith against ModelBrew systems, as long as you:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service degradation for other users.
  • Stop and contact us as soon as you encounter customer data, payment data, or credentials that aren't yours.
  • Use only your own test accounts — do not target other customers' accounts, runs, or datasets.
  • Give us a reasonable window to remediate before any public disclosure (we suggest 90 days, longer for complex issues).
  • Comply with all applicable laws.

Out of scope

  • Denial-of-service, volumetric, or load-testing attacks.
  • Social-engineering of employees, contractors, or other users.
  • Physical attacks against infrastructure or offices.
  • Reports from automated scanners with no demonstrated impact.
  • Issues already disclosed in our public changelog or release notes.

We are a small team and don't currently run a paid bug-bounty program. We do offer public credit and a sincere thank-you. If you'd prefer to remain anonymous, just say so in your report.