Customer data and AI training.
Customer workspace content is not used to train, fine-tune, or improve any AI model. Inputs and outputs sent to AI providers are deleted within 30 days per provider contract. Customer data is not shared between tenants.
Data encryption and recovery.
Encryption and security controls applied at storage, transit, and recovery.
AES-256 encryption at rest
All data stored in our databases is encrypted using AES-256 — the same standard used by governments and financial institutions.
TLS 1.2+ encryption in transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, preventing interception.
Automated daily backups
Daily automated backups with 30-day retention and point-in-time recovery (PITR) enabled for disaster recovery.
Database-level tenant isolation
Database-level and application-level controls ensure one team cannot access another team's data.
Code and repository isolation.
Customer repositories are processed in isolated execution environments. Files, credentials, and runtime state are not shared between customers.
Ephemeral, single-tenant containers
Each agent execution runs in a dedicated isolated cloud container with only your team's credentials. The container is destroyed when the task completes.
Per-team GitHub credentials
GitHub App installation tokens are generated on-demand with 1-hour expiry and are never stored in our database.
Team-scoped code intelligence
Code Intelligence builds a semantic map of your codebase without storing full source files. All indexed data is scoped to your team.
Immutable API key binding
Your Momental API key is permanently bound to your team at creation. Database-level row security enforces this as a backstop.
Authentication and access control.
Identity provider integration, multi-factor authentication, and role-based access controls.
Enterprise SSO
Sign in with your Google or Microsoft work account. Seamless authentication for your entire team.
Multi-factor authentication
MFA available through your identity provider (Google, Microsoft). Enable MFA in your IDP to add an extra layer of protection.
Role-based access control
Role-based access control with admin enforcement for team management and sensitive operations.
AI controls and governance.
Controls applied to AI-powered features and model interactions.
Zero training policy
Your data is never used to train AI models. Our AI providers automatically delete API inputs and outputs within 30 days of processing.
Model selection & vetting
All AI models are vetted for short data retention windows, DPA availability, and contractual guarantees against training on customer data.
AI output validation
All AI outputs are validated to prevent prompt injection, data exfiltration, and unsafe content. Flagged responses are redacted before reaching users.
Granular AI controls
Per-team admin controls for which AI features are enabled. Chat, document processing, voice, and conflict detection toggle independently.
Audit logging and compliance.
Audit logging for sensitive operations and compliance program details.
Comprehensive audit logging
We log all sensitive operations including login, data access, configuration changes, and administrative actions with full context.
GDPR compliant
Full compliance with GDPR including data subject rights — access, deletion, export, and portability — and a documented DPA available on request.
Delete anytime
Workspace owners can fully delete their team and all associated data at any time. Hard-delete propagates to backups within 30 days.
SOC 2 Type II in progress
We're actively pursuing SOC 2 Type II certification. Our internal controls already align with the Trust Services Criteria.
Security contact.
For DPAs, security questionnaires, vulnerability reports, or architecture reviews, contact security@momentalos.com.