Our Commitment to Responsible AI
Security at Mpalo is not a compliance layer added after the fact. It is built into how the infrastructure works. This page describes what is actually in place today and what we are working toward.
What Is In Place Today
Data Encryption
All data is encrypted in transit via TLS and at rest via AES-256. Encryption keys are managed with strict access controls. This applies to all memory data, metadata, and credentials across Mpalo-managed infrastructure.
Access Controls
We enforce least-privilege access internally. Production systems require multi-factor authentication for all internal access. User accounts support MFA and standard authentication controls.
Infrastructure
Mpalo's infrastructure runs on Cloudflare. DDoS mitigation, network-level security, and traffic inspection are handled at the infrastructure layer. We do not claim these as proprietary Mpalo-designed systems; they are the foundation we build on.
Secure Development
Security is part of our code review process. We conduct vulnerability management as a standard practice. We do not currently run formal SAST/DAST tooling; we will say explicitly when we do.
Incident Response
We maintain an incident response plan. In the event of a confirmed data breach involving personal data, we will notify affected users and relevant authorities in accordance with applicable legal obligations.
User Control
You own your data. The Mind Platform provides tools to view, manage, export, and permanently delete your memories. Deletion removes data from active systems and subsequently from backups in line with our retention policies.
What We Are Working Toward
These are genuine intentions with honest timelines where we have them.
SOC 2
We are not currently SOC 2 certified. We are implementing controls toward certification and will pursue a Type I audit as the product matures. We will state explicitly when that certification exists.
HIPAA
Our standard services are not designed for Protected Health Information by default. We are considering HIPAA-compliant configurations for specific enterprise use cases. Nothing is available yet. Contact us if this is relevant to your deployment.
GDPR
Our architecture is designed with GDPR compliance in mind: data subject rights, deletion capability, data minimisation, and user-scoped storage isolation are structural properties of how Palo works. We are not independently audited or certified. We will say explicitly when we are.
Enterprise Security Features
Anomaly detection, DLP capabilities, and enhanced audit logs for enterprise deployments are on our roadmap. They do not exist yet. We will not describe them as available until they are.
Responsible Disclosure
If you believe you have found a security vulnerability in any Mpalo service, report it to security@mpalo.com. We investigate all legitimate reports and will address confirmed vulnerabilities in a timely manner. Please follow responsible disclosure guidelines and do not publicly disclose a vulnerability until we have had reasonable opportunity to remediate it.
For data handling details, see our Trust & Ethics page and Privacy Policy.