Security

The trust kernel is the architectural answer — every data access scoped, checked, and logged, with no bypass path — but architecture is not the whole posture. This page covers the rest.

Encryption

• ↳TLS 1.3 for everything in transit; HSTS preloaded
• ↳AES-256-GCM at rest for graph, traces, and files
• ↳Per-project data keys, rotated automatically; CMEK on Enterprise
• ↳Secrets in an HSM-backed manager; no plaintext keys at rest anywhere

Tenancy

Project isolation is enforced at three layers: row-level in the metadata store, namespace-level in the vector index, and scope-level in the kernel. There is no cross-tenant index, cache, or embedding space. Sandbox and production are separate stacks, not flags.

Operational security

• ↳Production access via short-lived, peer-approved grants — no standing admin
• ↳All staff access to customer data is logged to the same audit pipeline customers read
• ↳Annual third-party penetration test; summary available under NDA
• ↳Vulnerability disclosure program at security.myndlabs.ai — safe harbor included
• ↳SOC 2 Type II and ISO 27001; reports via the trust center

What we ask of you

• ↳Keep secret keys server-side; use session tokens in clients
• ↳Scope keys per service and rotate quarterly
• ↳Verify webhook signatures with constant-time comparison
• ↳Report anything suspicious to security@myndlabs.ai — we answer fast