Trust · Security · Compliance

No theater.
Just the truth about where we stand.

Most vendors dress up "coming soon" as "compliant." We don't. Here's exactly what's live today, what's in flight, and what we won't promise until it's real.

Live today In flight (this quarter) On the roadmap

Encryption in transit & at rest

TLS 1.3 on every edge. AES-256 at rest on Supabase (Postgres) and object storage. Keys rotate on a 90-day cycle and are never logged.

Status · Live

Tenant isolation

Every workspace is row-level isolated in Postgres (RLS policies). No shared tables across customers. API keys and OAuth tokens are per-workspace, encrypted with AES-256-GCM in a secrets vault.

Status · Live

SSO / OAuth

Sign in with Google, Microsoft, or GitHub. SAML SSO (Okta, Azure AD, Google Workspace) is included on Growth and higher — no upcharge.

Status · Live · SAML on Growth+

Audit log

Every action — who did what, when, from where — is logged immutably and exportable as CSV or via webhook. 90-day retention on every plan. 7-year retention on Enterprise.

Status · Live

Data export & portability

One click exports everything: your workflows (JSON), your build configs, your pipeline data (CSV + Parquet), your connected CRM snapshots. No lock-in. You can walk any day.

Status · Live · No API fees on export

Spend caps & kill switches

Hard spend caps per workspace, per user, per workflow. Anomaly alerts fire on 3× baseline. Global kill switch halts every outbound action from the admin panel. No surprise bills.

Status · Live · See pricing

SOC 2 Type II

Type I report complete with Vanta. Type II observation window is in progress — report expected Q3 2026. Under NDA we'll share the current auditor's interim letter and the full Vanta control list.

Status · Type I done · Type II in audit

HIPAA + BAA

Infrastructure is HIPAA-aligned (encryption, access controls, audit logs, tenant isolation). BAA available on Enterprise once Type II lands. Medical, dental, med-spa, vet — email us if you need it sooner and we'll work with you.

Status · BAA on Enterprise · Q3 2026

99.9% uptime SLA

We target three nines on Growth and higher. Our 90-day rolling availability has been 99.94% since launch. Contractual SLA with credits is on the Enterprise plan.

Status · Live metric · Contract SLA on Enterprise

PCI DSS (SAQ-A)

We don't touch card data. Payments route through Stripe (PCI Level 1). If your workflow accepts cards, they go direct to Stripe — never through our systems. Formal SAQ-A attestation Q4 2026.

Status · Stripe-delegated · SAQ-A Q4

GDPR / CCPA

DPA available now. Subprocessor list is public (below). Right-to-delete is one-click in your workspace settings. Formal GDPR data residency (EU-only processing) is Q4 2026.

Status · DPA live · EU residency Q4

Pen test + bug bounty

Annual third-party pen test (NCC Group) scheduled Q3 2026. Public bug bounty on HackerOne opens alongside. Meanwhile, security@mainframe.ai gets a response within 24 hours.

Status · Q3 2026

What we commit to, in writing

Plain English. No weasel words.
Your data
Yours. We don't train models on your data. We don't resell it. We don't use it for anything except running the workflows you built.
Deletion
30 days, max. Hit delete — we purge from primary storage immediately, backups inside 30 days. You get a signed deletion certificate.
Breach notice
72 hours. If we're breached and your data is implicated, you'll hear from us within 72 hours with scope, cause, and remediation — no legal review delays.
Subprocessors
Public list. Supabase (DB), Cloudflare (edge), 25+ AI model providers MeterCall routes to (GPT, Gemini, Claude, Mistral, Llama, DeepSeek, xAI, Cohere, etc.), Twilio (SMS), SendGrid (email), Stripe (payments). 30-day advance notice on any change.
Price
Grandfathered. If we raise prices, your current usage rates stay locked for 12 months. You'll never get a surprise invoice.
Exit
No fees, no friction. Export everything in open formats. If we shut down, 90-day notice and full self-host bundle released under MIT.

What we won't promise until it's real

We won't put "SOC 2 Compliant" on a webpage before the Type II report is in our hands. We won't sign a BAA without the underlying controls attested. We won't claim "FedRAMP" or "HITRUST" — we're not there.

If that disqualifies us for your procurement today, we respect it. Check back in Q3 2026, or start on a non-regulated workflow now and flip on compliance features when they land.

If you need something specific — a BAA, EU residency, a custom DPA, an on-prem option — email trust@mainframe.ai. We read every one.

Need the full security package?

Current Vanta control list, pen test letter, subprocessor DPAs, SSO setup — we'll send it all under NDA.

Email trust@mainframe.ai