Security
Everything below is true today — and where something isn’t built yet, we say so rather than imply it.
Your API key
Keys are issued, rotated, and revoked by you from your dashboard. The full secret is shown once, at creation; we store it hashed, so a database read can’t recover it. Every request authenticates with X-API-Key over TLS, and every response carries an X-Request-Id so a support question can be traced to the exact call. Revoke a key the moment you suspect it leaked — it stops working immediately.
Webhooks are signed and replay-protected
Every webhook is signed X-Webhook-Signature: sha256=… over <timestamp>.<body> with your account secret, so you can verify each callback is really from us and hasn’t been tampered with. Reject stale timestamps to shut down replays. The exact verification code (Node & Python) is in the webhooks guide.
Idempotency
Pass an idempotency key on submit and a retried request returns the original job instead of starting a second one — safe to retry through timeouts and network blips without double-spending tokens.
Payments: nothing to leak
Tunova is prepaid, so there is no card on file to breach. Top-ups are handled by our payment processor (OxaPay) for crypto — we never see or store your card or wallet keys. Your balance is a hard spend cap; a compromised key can spend your remaining tokens, not reach a funding source.
Your data
We store the prompts you send and your job history to run the service and show your activity and ledger. Generated audio is served from Suno’s CDN; we keep the reference and metadata, not a second copy on our own storage. We don’t sell or share your prompts or output. Want your account and its data deleted? Email us and we’ll do it.
What we don’t have yet
We’re a young, independent service and we’d rather be straight with you than imply a compliance posture we haven’t earned: there’s no SOC 2 or ISO 27001 today, and no formal third-party audit is scheduled yet. What we do have is a small, auditable surface, the controls above, and a public changelog and status page so you can watch us operate.
Reporting a vulnerability
Found something? Email [email protected] with “Security” in the subject. We’ll acknowledge, work the issue with you, and credit you if you’d like. Please give us a reasonable window to fix before disclosing publicly.
See also the Privacy policy and Terms.