Your data is protected by industry-leading security practices. We implement comprehensive technical and organizational measures to keep your strategic information safe.
Last updated: April 16, 2026
We are committed to protecting your proprietary information. Your workspace content is never used to train, fine-tune, or improve AI models.
See our Privacy Policy for complete details on data handling.
We implement multiple layers of encryption and security controls to protect your data at every stage.
All data stored in our databases is encrypted using AES-256, the same encryption standard used by governments and financial institutions.
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, preventing interception.
Daily automated backups with 30-day retention and point-in-time recovery (PITR) enabled for disaster recovery.
Database-level and application-level controls ensure one team cannot access another team's data.
When our agents work on your code, your repository is protected by multiple layers of isolation. No other customer can access your files, credentials, or execution environment.
Each agent execution runs in a dedicated, isolated cloud container with only your team's credentials. The container is destroyed when the task completes. No shared filesystem, memory, or networking between customers.
GitHub App installation tokens are generated on-demand with 1-hour expiry and are never stored in our database. Each token grants access only to repositories you have explicitly authorized.
Code Intelligence builds a semantic map of your codebase without storing full source files. All indexed data is scoped to your team with unique database constraints preventing cross-team access.
Your Momental API key is permanently bound to your team at creation. Even if a container were compromised, it cannot query another team's data. Database-level row security enforces this as a backstop.
Enterprise-grade identity management with flexible authentication options.
Sign in with your Google or Microsoft work account. Seamless authentication for your entire team.
MFA is available through your identity provider (Google, Microsoft). Enable MFA in your identity provider to add an extra layer of protection.
Role-based access control with admin enforcement for team management and sensitive operations.
Enterprise controls for AI-powered features with strict data protection.
Your data is never used to train AI models. Our AI providers automatically delete API inputs and outputs within 30 days of processing.
All AI models are vetted for short data retention windows, DPA availability, and contractual guarantees against training on customer data. Models are accessed via API only — we never fine-tune on your data.
All AI outputs are validated to prevent prompt injection, data exfiltration, and unsafe content. Flagged responses are automatically redacted before reaching users.
Per-team admin controls for which AI features are enabled. Chat, document processing, voice, and conflict detection can be independently toggled per team and plan tier.
Comprehensive logging and compliance features for enterprise governance requirements.
We log all sensitive operations including login, data access, configuration changes, and administrative actions with full context.
Audit logs are stored with immutability guarantees, ensuring they cannot be tampered with.
Export your organization's audit logs for compliance reporting, SIEM integration, or forensic analysis.
Full support for Article 17 (Right to Erasure) and Article 20 (Data Portability) with automated data export and deletion endpoints.
Built on enterprise-grade cloud infrastructure with high availability.
Hosted on enterprise-grade cloud infrastructure in the United States with SOC 2 and ISO 27001 certified data centers.
Enterprise WAF with managed rulesets, DDoS protection, TLS termination, browser integrity checks, and bot mitigation.
Cross-instance rate limiting prevents abuse and ensures fair usage across all customers.
We target 99.5% monthly availability with 48-hour advance notice for scheduled maintenance.
All traffic is encrypted with TLS 1.2+ and inspected by Cloudflare WAF before reaching our servers. All data is stored and processed in the United States.
For detailed architecture diagrams, request our Security Architecture Whitepaper.
We use a minimal set of trusted third-party services. Customers are notified of changes at least 30 days in advance.
Dedicated resources and personalized service for enterprise customers.
Named customer success manager and direct access to our security engineering team for enterprise accounts.
Custom implementation plan designed for your organization, including integration support and admin training.
Priority response for critical issues with direct Slack or email access to our team.
Periodic security reviews and compliance assistance to keep your deployment secure.
No. Your workspace content is never used to train, fine-tune, or improve AI models. Our AI providers automatically delete API inputs and outputs within 30 days of processing and do not use your data for training.
No. Your code is never accessible to other customers. Our agents run in ephemeral, single-tenant containers that receive only your team's credentials and are destroyed after each task. Your source code is never persisted in our database. Code Intelligence indexes a semantic map of your codebase scoped exclusively to your team, not full source files. Database-level security policies and application-level team filtering enforce isolation at every layer.
All data is stored in the United States. For EU customers, we provide Standard Contractual Clauses (SCCs) for compliant international data transfers.
We have a documented incident response plan. In the event of a breach affecting your data, we will notify you within 72 hours as required by GDPR, and within applicable timeframes for other jurisdictions (e.g., California).
Yes. You can export all your data at any time through our API or by contacting support. You can also request complete deletion of your account and all associated data, which will be processed within 30 days.
Yes. Our Data Processing Agreement incorporates EU Standard Contractual Clauses and is effective upon acceptance of the Terms of Service. No separate signature is required. Contact [email protected] to request a countersigned copy.
We are currently GDPR compliant with full data export and deletion support. SOC 2 Type II and ISO 27001 certifications are planned. Our infrastructure providers (Google Cloud Platform, Cloudflare) are SOC 2 and ISO 27001 certified.
Third-party penetration testing is planned for 2026. We currently use automated security scanning including dependency vulnerability scanning and static analysis. We have a responsible disclosure program for security researchers.
Our security team is available to answer questions and provide additional documentation for enterprise security reviews.
Email: [email protected]
Public Resources:
Enterprise Security Package:
Contact [email protected] to request these documents.
Security Researchers:
We welcome responsible disclosure. Report vulnerabilities to [email protected]. Safe harbor provided for good-faith research.