{"name":"The Leo King Business Intelligence API Procurement Packet","version":"v1","status":"public-contract","contractVersion":"2026-07-07.enterprise-trust-console-audit-webhook-versioning-limits-examples-support-procurement-conformance-data-processing-launch-readiness-access-control-compliance-map-ai-governance-v1","lastReviewedAt":"2026-07-07","packet":{"status":"live","publicContact":"mailto:partners@theleokingai.com","intendedAudience":["enterprise buyers","procurement reviewers","security reviewers","legal reviewers","technical evaluators"],"buyerPacket":["Company and product summary for The Leo King Business Intelligence API.","Dedicated production gateway and public OpenAPI contract.","Security packet, data-retention notes, and current subprocessor scope.","Compliance-readiness map with current evidence links and certification boundaries.","Public SLA targets, incident policy, and support escalation boundary.","Versioning, deprecation, migration, and rate-limit policy.","SDK package readiness, release gates, examples, and onboarding checklist.","Support packet fields required for production triage."],"securityReview":["Confirm server-side API-key storage and no browser/mobile key exposure.","Review data minimization guidance before sending birth data or campaign context.","Use request_id, key prefix only, endpoint, and sanitized payload shape for support.","Validate subprocessors against the current public security packet before production launch.","Rotate any exposed secret immediately and replace it with managed environment config."],"legalReview":["Public metadata does not create a contractual SLA, DPA, or custom retention obligation.","Signed terms are required before custom retention, audit export, allowlist, or private endpoint commitments.","Partner apps remain responsible for user notices, consent, display context, and downstream data handling.","No compliance certification is claimed unless it is published in the signed review packet."],"operationalReview":["Run gateway smoke against https://api.theleokingai.com before production traffic.","Run buyer-path usage proof for paid routes and reconcile request_id against usage ledger evidence.","Sample 1-3 fresh AI outputs after generation or prompt changes before declaring success.","Use /api/v1/incidents and /api/v1/support for production-impacting route or output-quality issues."],"unavailableUntilSignedTerms":["custom DPA or private data-processing terms","contractual SLA response windows","dedicated support contacts","IP allowlists","long-range audit export packages","custom retention schedules","private endpoint scopes or customer-specific model terms"],"requiredSignedArtifacts":["signed order form or enterprise agreement","DPA or data-processing addendum when applicable","custom SLA/support exhibit when promised","approved subprocessor or security-review acknowledgement","production launch checklist with smoke evidence"],"reviewBoundaries":["Public routes are safe for review and do not expose secret config.","Private readiness, env values, raw logs, raw prompts, and raw customer payloads require authenticated/internal process.","Procurement reviewers should use links in this packet rather than screenshots as the durable review source."]},"reviewItems":[{"category":"Security Controls","status":"live","owner":"platform","requirement":"Publish API-key handling, data minimization, rate-limit, and no-fallback-success controls.","evidence":"Security packet exposes public controls and partner expectations.","publicLink":"/api/v1/security"},{"category":"Data Handling","status":"live","owner":"shared","requirement":"Review retention boundaries and restrict support packets to sanitized operational evidence.","evidence":"Security and support routes publish data-retention categories plus never-include fields.","publicLink":"/api/v1/support"},{"category":"Compliance Mapping","status":"live","owner":"shared","requirement":"Map public controls to common enterprise review categories without claiming certifications that are not published.","evidence":"Compliance map identifies current evidence, framework-style mappings, and signed-term boundaries.","publicLink":"/api/v1/compliance"},{"category":"AI Governance","status":"live","owner":"shared","requirement":"Review generated-output quality gates, acceptable-use boundaries, restricted use cases, and escalation triggers before production launch.","evidence":"AI governance packet defines allowed, restricted, prohibited, human-review, and support-evidence boundaries.","publicLink":"/api/v1/ai-governance"},{"category":"Subprocessor Review","status":"beta","owner":"platform","requirement":"Expose current infrastructure, auth, billing, model, sidecar, rate-limit, and monitoring subprocessors.","evidence":"Security packet lists current subprocessors and the data scope for each.","publicLink":"/api/v1/security"},{"category":"SLA And Incidents","status":"live","owner":"platform","requirement":"Publish current availability targets, measurement boundary, incident fields, and postmortem policy.","evidence":"SLA and incidents routes expose public targets and current incident history status.","publicLink":"/api/v1/sla"},{"category":"Versioning And Migration","status":"live","owner":"platform","requirement":"Document compatibility guarantees, breaking-change artifacts, migration guides, and sunset requirements.","evidence":"Versioning and migrations routes publish lifecycle policy and route-specific migration guides.","publicLink":"/api/v1/migrations"},{"category":"Operational Proof","status":"beta","owner":"shared","requirement":"Run env gate, gateway smoke, buyer-path usage proof, and AI output-quality sampling before launch.","evidence":"Observability route and onboarding route publish production proof requirements.","publicLink":"/api/v1/observability"},{"category":"Legal Terms","status":"enterprise","owner":"shared","requirement":"Move DPA, custom retention, dedicated support, allowlists, and contractual SLA into signed terms.","evidence":"Procurement packet identifies what public metadata does and does not contractually promise.","publicLink":"/api/v1/procurement"}],"dataHandling":{"retention":[{"category":"API Request Metadata","status":"beta","retention":"Usage ledger retains request_id, endpoint, lane, credits, billable units, model metadata, and timestamps for billing/support reconciliation.","handling":"Do not include full secrets or raw payloads in support tickets; provide request_id and sanitized payload shape."},{"category":"Birth Data Payloads","status":"live","retention":"Processed for deterministic chart calculation and model context; persistent storage is limited to endpoint-specific product records when required.","handling":"Use customer ids and only the birth fields needed for the route. Avoid names and unrelated personal profile data."},{"category":"Generated AI Outputs","status":"beta","retention":"Outputs may be retained where needed for async jobs, quality review, support, or partner-visible history.","handling":"AI output must meet the same product contract after retries; fallback-shaped output should be escalated as a quality incident."},{"category":"Billing And Entitlement Records","status":"beta","retention":"Plan state, credit balances, subscription state, and usage counters are retained for billing operations.","handling":"Payment instruments are handled by Clerk/Stripe rather than stored directly in this API surface."},{"category":"Support Evidence","status":"live","retention":"Support packets should include request_id, endpoint, UTC timestamp, key prefix only, and sanitized payload shape.","handling":"Never send raw API keys, bearer tokens, payment details, or complete private payloads in email or chat."},{"category":"Raw Secrets","status":"live","retention":"Raw API keys and provider secrets must not be logged, committed, or returned by public routes.","handling":"Rotate any exposed secret immediately and replace it with a managed environment variable."}],"subprocessors":[{"name":"Vercel","purpose":"Next.js hosting, edge routing, logs, and deployment rollback.","dataScope":"Request metadata, route execution, environment variable names, and runtime logs.","status":"live"},{"name":"Convex","purpose":"API key validation, usage ledger, entitlement state, and billing/event records.","dataScope":"Organization ids, key hashes/prefixes, usage events, billing state, and support metadata.","status":"beta"},{"name":"Clerk","purpose":"Customer console authentication, organizations, billing state, and checkout integration.","dataScope":"Authenticated user/org profile metadata, plan state, and billing webhook events.","status":"beta"},{"name":"Stripe","purpose":"Payment processing through Clerk Billing and Stripe-connected checkout.","dataScope":"Payment and subscription data handled by the billing provider, not by raw API route storage.","status":"beta"},{"name":"OpenAI Or RunPod","purpose":"Model-backed generation for AI Intelligence routes when enabled by production config.","dataScope":"Sanitized prompts, schema instructions, and route-specific context required to produce the requested output.","status":"beta"},{"name":"Render","purpose":"Kerykeion sidecar hosting for deterministic astrology calculation.","dataScope":"Birth data and calculation inputs needed for chart, transit, synastry, compatibility, and lunar computations.","status":"beta"},{"name":"Upstash","purpose":"Distributed rate limit state and abuse protection.","dataScope":"Request counters, endpoint/key identifiers, and rate-limit windows.","status":"beta"},{"name":"Sentry","purpose":"Error monitoring, release visibility, and source-map assisted debugging.","dataScope":"Error events, stack traces, route context, release id, and redacted runtime diagnostics.","status":"beta"}]},"links":{"docs":"/api-docs","openapi":"/api/v1/openapi","status":"/api/v1/status","sla":"/api/v1/sla","incidents":"/api/v1/incidents","security":"/api/v1/security","securityTxt":"/.well-known/security.txt","accessControl":"/api/v1/access-control","observability":"/api/v1/observability","onboarding":"/api/v1/onboarding","versioning":"/api/v1/versioning","migrations":"/api/v1/migrations","examples":"/api/v1/examples","support":"/api/v1/support","sdks":"/api/v1/sdks","conformance":"/api/v1/conformance","dataProcessing":"/api/v1/data-processing","compliance":"/api/v1/compliance"}}