Customer data and AI training.
Customer workspace content is not used to train, fine-tune, or improve any AI model. Inputs and outputs sent to AI providers are deleted within 30 days per provider contract. Customer data is not shared between tenants.
Data encryption and recovery.
Encryption and security controls applied at storage, transit, and recovery.
AES-256 encryption at rest
All data stored in our databases is encrypted using AES-256 — the same standard used by governments and financial institutions.
TLS 1.2+ encryption in transit
All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher, preventing interception.
Automated daily backups
Daily automated backups with 30-day retention and point-in-time recovery (PITR) enabled for disaster recovery.
Database-level tenant isolation
Database-level and application-level controls ensure one team cannot access another team's data.
Code and repository isolation.
Customer repositories are processed in isolated execution environments. Files, credentials, and runtime state are not shared between customers.
Ephemeral, single-tenant containers
Each agent execution runs in a dedicated isolated cloud container with only your team's credentials. The container is destroyed when the task completes.
Per-team GitHub credentials
GitHub App installation tokens are generated on-demand with 1-hour expiry and are never stored in our database.
Team-scoped code intelligence
Code Intelligence builds a semantic map of your codebase without storing full source files. All indexed data is scoped to your team.
Immutable API key binding
Your Momental API key is permanently bound to your team at creation. Database-level row security enforces this as a backstop.
Authentication and access control.
Identity provider integration, multi-factor authentication, and role-based access controls.
Enterprise SSO
Sign in with your Google or Microsoft work account. Seamless authentication for your entire team.
Multi-factor authentication
MFA available through your identity provider (Google, Microsoft). Enable MFA in your IDP to add an extra layer of protection.
Role-based access control
Role-based access control with admin enforcement for team management and sensitive operations.
AI controls and governance.
Controls applied to AI-powered features and model interactions.
Zero training policy
Your data is never used to train AI models. Our AI providers automatically delete API inputs and outputs within 30 days of processing.
Model selection & vetting
All AI models are vetted for short data retention windows, DPA availability, and contractual guarantees against training on customer data.
AI output validation
All AI outputs are validated to prevent prompt injection, data exfiltration, and unsafe content. Flagged responses are redacted before reaching users.
Granular AI controls
Per-team admin controls for which AI features are enabled. Chat, document processing, voice, and conflict detection toggle independently.
Audit logging and compliance.
Audit logging for sensitive operations and compliance program details.
Comprehensive audit logging
We log all sensitive operations including login, data access, configuration changes, and administrative actions with full context.
GDPR compliant
Full compliance with GDPR including data subject rights — access, deletion, export, and portability — and a documented DPA published at momentalos.com/dpa with EU SCCs Module 2 and UK IDTA for international transfers.
Delete anytime
Workspace owners can fully delete their team and all associated data at any time. Hard-delete propagates to backups within 30 days.
SOC 2 Type II in progress
We're actively pursuing SOC 2 Type II certification. Our internal controls already align with the Trust Services Criteria.
Third-party sub-processors.
The third parties Momental engages to deliver the Services. Each is contractually bound to data protection obligations at least as protective as our DPA. Momental remains liable to Customer for the acts and omissions of its Sub-processors.
| Sub-processor | Service | Data Categories | Location | Compliance |
|---|---|---|---|---|
| Anthropic, PBC | Claude AI models (chat, reasoning, coding) | Inputs and Outputs (transient, deleted within 30 days; never used for model training) | United States | SOC 2 Type II |
| Google LLC — Vertex AI & Google Cloud | Gemini models, embeddings, compute, Cloud SQL, Cloud Tasks, Cloud Storage, BigQuery | Inputs, Outputs, embeddings, hosted Customer Content, audit logs | United States | SOC 2 Type II, ISO 27001/27017/27018 |
| OpenAI, OpCo, LLC | OpenAI models where configured for specific features | Inputs and Outputs (transient; not used for model training per API terms) | United States | SOC 2 Type II |
| X.AI Corp (Grok) | Grok reasoning models for select agent kernels | Inputs and Outputs (transient; not used for training under enterprise terms) | United States | Vendor security controls |
| Google LLC — Firebase | Authentication (Firebase Auth) and real-time data where used | Identifiers, authentication tokens | United States | SOC 2 Type II, ISO 27001 |
| Stripe, Inc. | Payment processing and subscription billing | Billing contact, tokenized payment instruments (Momental never stores card numbers) | United States | PCI DSS Level 1 |
| Cloudflare, Inc. | DNS, CDN, edge network, DDoS protection | Network metadata (IP addresses, request headers) | Global edge; origin US | SOC 2 Type II, ISO 27001 |
| LiveKit, Inc. | Real-time voice/audio for voice-interview features | Voice audio streams (transient; transcripts stored in Customer workspace) | United States | SOC 2 Type II |
Momental will provide at least 30 days' prior written notice to workspace administrators before engaging a new Sub-processor. If Customer objects within 30 days, Momental will work to find an alternative; failing that, Customer may terminate the affected Services with a pro-rata refund of prepaid fees. International transfers from the EEA/UK rely on EU Standard Contractual Clauses Module 2 and the UK IDTA, as described in the DPA.
Security contact.
For DPAs, security questionnaires, vulnerability reports, or architecture reviews, contact [email protected].