mu.ai Security Summary

Last updated: 2026-06-01

Architecture: transit-only

Prompts and attachments are processed in memory to make a friction decision and are then discarded. They are never written to disk, never written to backups, never written to log files. RAM lifetime is the lifetime of the request (typically <1 second; up to 5 minutes if a friction challenge is held open awaiting user reply).

The only data we persist is mastery signal: classifier output (domain + intent), friction decision, pass/fail, reasoning quality score, attachment count + MIME types, token counts, and timestamps.

Authentication & sessions

• Sign-in via Google OAuth 2.0. We never store passwords.
• Sessions are identified by 256-bit random tokens generated server-side (crypto.randomBytes), persisted in the sessions table, and expired after 30 days. Tokens are opaque random values, not JWTs — no client-side payload to forge.
• CLI tooling uses per-user random keys (192 bits, regenerable from the dashboard).
• Operator-only endpoints (backup, seed) require a separate X-Backup-Secret header, validated with constant-time comparison (crypto.timingSafeEqual) to prevent timing attacks.

Encryption

• In transit: TLS 1.2 minimum on all endpoints; TLS 1.3 negotiated by default with modern browsers. Certificates managed by Render via Let's Encrypt with automatic rotation.
• At rest (database): Render-managed encrypted disk in US Oregon — AES-256 via the underlying cloud provider's full-disk encryption.
• At rest (backups): Cloudflare R2 server-side encryption (AES-256), enabled by default for all objects. Retention is bounded at 30 days — each backup run deletes any backups already past that age, so any given backup is removed at the next run after it expires.
• Application-layer encryption: we do not field-encrypt rows in the database because the database does not contain prompt, response, or attachment content (transit-only architecture). The only data at rest is mastery signal (domain, pass/fail, timestamps), protected by the disk and backup encryption above.
• Logging: log lines never contain prompt content. Where a stable identifier is needed for deduplication, the prompt is hashed with SHA-256 and only the hash appears in logs.

Access controls

• All authenticated endpoints require a valid session token.
• Team admins see only k=5-floored cohort aggregates — never individual mastery scores or interactions.
• Operator endpoints (backup, seed) require a separate X-Backup-Secret header.
• Rate limiting on auth (10 req/min) and on the /intercept and /api/ surfaces (30 and 120 req/min respectively).

Third-party processors

• Anthropic (LLM processing). Prompts are forwarded for classification + challenge generation. Under Anthropic's commercial terms, prompts are not used for model training and are retained up to 30 days for abuse monitoring before deletion. Customers requiring stricter terms can request that mu.ai pursue Anthropic's enterprise zero-retention addendum.
• Google AI (Gemini) (image classification). Standard commercial AI terms; no training, standard retention.
• Google OAuth (authentication only — email + display name).
• Resend (team-invite transactional email — no prompt or mastery data sent).
• Render (hosting, US Oregon).
• Cloudflare R2 (encrypted backups).

Data subject rights

• Account deletion: DELETE /api/account
• Data export (JSON): GET /api/account/export
• Both processed within 24 hours.

Compliance posture

• mu.ai's compliance class is developer productivity tooling — same posture as GitHub Copilot, Cursor, or Claude Code direct. Customer AUPs that prohibit PHI in external AI tools (standard at HIPAA-regulated organizations) keep PHI out of scope by design.
• Transit-only architecture is defense in depth on top of customer AUP controls: even an inadvertent prompt containing PHI is processed in memory and discarded, never persisted in our infrastructure.
• If your organization requires a BAA: mu.ai will execute one with you, and Anthropic will operate as our HIPAA subcontractor under a signed BAA between Anthropic and mu.ai. Available on request.
• Schools (FERPA / COPPA): mu.ai operates as a school official under FERPA's school official exception (34 CFR § 99.31(a)(1)(i)(B)) when deployed for educational use. Transit-only architecture keeps student work (prompts and written responses) out of persistent storage entirely. Aggregate-only admin views (k=5 floor) mean teachers and administrators cannot view individual student performance. For students under 13, mu.ai operates under FTC COPPA school-consent guidance. State-specific data privacy addenda (e.g., NY Education Law 2-d, California SOPIPA / AB 1584) available on request.
• DPA available on request — email privacy@mu-ai.app.
• SOC 2 audit planned post-Series-A. Until then, we operate under the security practices summarized above.

Contact

For security questionnaires, pilot scoping, or DPA requests: privacy@mu-ai.app.