What we already answered, so your VRM team does not have to ask.

Application + interface security

Does the application use TLS 1.2 or higher for all data in transit?

Yes. TLS 1.3 is the default. TLS 1.2 is the minimum supported version. Older protocols are explicitly disabled at the load-balancer layer.

Are all customer credentials transmitted and stored using salted hashes?

Yes. Authentication is delegated to Supabase Auth, which uses industry-standard salted argon2id hashing. Mycelium never stores plaintext credentials.

Is multi-factor authentication available for customer admin accounts?

Yes. MFA is available and recommended; SSO via SAML or OIDC is available on the Mycelium Enterprise tier.

Are session tokens scoped per tenant?

Yes. Every session token carries a tenant claim validated on every authenticated request. Cross-tenant token reuse is rejected at the JWT validation layer before the handler runs.

Data security + encryption

Is customer data encrypted at rest?

Yes. Postgres-managed at-rest encryption with AES-256. Mycelium Enterprise customers can supply their own KMS key (BYOK) for per-tenant key isolation.

Is encryption-in-transit enforced for all customer data?

Yes. TLS 1.3 minimum at the public boundary; mTLS at the inter-service boundary inside the runtime.

Where is customer data stored?

Mycelium Lite: multi-tenant managed runtime, US primary region. Mycelium Enterprise: customer-selectable region (US, EU, AP) for managed runtime, or fully customer-owned cloud for single-tenant + on-premise deployments.

Can customer data be exported on demand?

Yes. Tenant data exports as plain-text Markdown over a signed gzipped archive. Audit-log exports as gzipped JSONL signed with the tenant key. Both are available on demand at no additional charge.

What happens to customer data after contract termination?

Customer-owned plain-text data is the customer's, full stop. Runtime metadata (audit logs, access tokens) is retained for the contractually agreed retention period (default 30 days post-termination, longer windows available for regulated industries) and then permanently deleted with deletion certification on request.

Identity + access management

Does the system support role-based access control?

Yes. RBAC at the tenant level, with per-role memory-record scoping for Mycelium Enterprise tier customers.

Does the system support SAML or OIDC SSO?

Yes, on the Mycelium Enterprise tier. Mycelium Lite supports email + magic-link authentication and Google OAuth; SAML/OIDC SSO is Enterprise-only.

How are admin actions logged?

Every admin action lands in the append-only tenant audit log with timestamp, actor identity, source IP, and action payload. The log is exportable on demand.

Incident response + business continuity

What is the incident detection mean time?

PostHog, Vercel, and Sentry alerts provide real-time detection. Internal target: alert within five minutes of incident; first response within one business hour.

What is the customer notification timeline for a confirmed security incident?

Customer notification within 24 hours of incident confirmation. The notification names the customer-impacted scope, the actions taken, and the remediation timeline.

Is there a published business continuity plan?

Yes, summarized in the Trust Center under audit cadence. Backup restore drills run quarterly. Tabletop incident-response exercises run semi-annually. Full BCP available on request under NDA.

What is the postmortem cadence?

Postmortem published to /trust/postmortems within 14 days of incident closure. Postmortem covers root cause, fix, and the monitoring change made afterwards.

Compliance + audit

Is the company SOC 2 Type II certified?

SOC 2 Type II engagement starts Q2 2026 with a tier-1 auditor. The Type II report requires a six-month observation window; report ETA Q4 2026. Trust Center carries the dated timeline.

Is the company HIPAA-compliant?

BAA-ready package available today on the Mycelium Enterprise tier; risk assessment and technical safeguards documentation are signed and available. BAAs are negotiable on the Enterprise tier and not in scope on Mycelium Lite.

Is the company GDPR-compliant?

Yes, the runtime is built to be processor-grade with the controls in our DPA. DPA is public at /dpa. DPIA template is available at /dpia for prospects to attach to their internal review.

Does the company commit to an annual penetration test?

Yes. Engagement with a tier-1 firm (Bishop Fox, NCC Group, or Trail of Bits) starts Q2 2026. Annual report under NDA from Q3 2026 onwards. Reports available on request to F100 prospects.

Sub-processors + supply chain

Does the company maintain a public subprocessor list?

Yes, at /subprocessors. Customer notification on additions: 30 days advance notice with the right to object.

Is third-party software risk-assessed?

Dependency audit weekly via Dependabot. Major version bumps are reviewed in PR before merge. SBOM available on request for Mycelium Enterprise tier customers.

Architecture + AI-specific risk

Does the system pass customer data into a third-party LLM?

Yes, scoped per the customer's selected model. Default is Claude (Anthropic) under our DPA-covered processor relationship. Customer-selected alternatives (OpenAI, Google, OpenRouter) carry the customer's selected vendor's DPA, not Mycelium's. Per-tenant opt-out available.

Does customer data train any third-party model?

No. Customer data is never used to train third-party foundation models. Model-vendor agreements specifically prohibit training on customer messages.

How do you handle prompt injection risks at the memory-layer level?

Memory-record updates are gated by a per-request allowlist of record IDs derived from the original user intent. Cross-tenant memory access requires explicit cross-tenant consent. Memory writes from agent-controlled prompts are sandboxed per customer policy.

Customer obligations

What are the customer's responsibilities under the shared-responsibility model?

Customer is responsible for: protecting their own admin credentials, configuring their tenant's connector permissions, classifying data they ingest into the memory layer, and complying with the laws of their jurisdiction. Mycelium is responsible for the substrate, the runtime security posture, the audit log integrity, and the vendor-side of every commitment in this RFP.

Have a question this page does not cover?

Send the questionnaire to contact@myceliumai.co and we fill in the missing rows under NDA. The fastest path through procurement is the page you are reading plus a one-page coversheet your VRM team writes against this page.