Security and trust
m8tes runs autonomous teammates against your real business data. Here is exactly how we protect it, who we rely on, and what we are building next.
SOC 2 Type II — in progress
We are completing a SOC 2 Type II examination. To request our current security posture, a security questionnaire, subprocessor details, or a Data Processing Agreement, email privacy@m8tes.ai.
How we protect your data
Encryption
Encrypted in transit and at rest
All traffic is served over TLS 1.2+ with HSTS. Integration credentials and OAuth tokens are encrypted at rest using authenticated symmetric encryption (Fernet — AES-128-CBC with HMAC-SHA256).
Isolation
Every run is sandboxed
Each agent run executes in its own isolated, ephemeral cloud sandbox. Tool subprocesses run with a cleaned environment, so your credentials never reach the processes that read your data.
Secrets
Credentials never leak
Secrets reach a sandbox through the provider's authenticated API, never via command-line arguments or the process list. Logs and error reports are redacted so tokens and passwords are never recorded.
Access
Strong authentication
Sessions use signed tokens with instant revocation, single-use password resets, and rate-limited auth endpoints. Sign in with email or Google OAuth 2.0.
Network
Outbound request protection
Webhook and bridge destinations are validated and IP-pinned to block SSRF and DNS-rebinding attacks. Connections to private or internal addresses are rejected.
Monitoring
Continuous integrity checks
Automated health checks and dozens of data-consistency invariants run continuously, with error monitoring and alerting. Dependencies and secrets are scanned on every change in CI.
Your data
We never train on your data
Your content, customer data, and outputs are never used to train AI models — by us or our subprocessors. You can request a copy of your data or its deletion at any time.
Infrastructure
Certified providers
Core infrastructure runs on providers that maintain their own independent certifications, including DigitalOcean (SOC 2), Anthropic (SOC 2), and Stripe (PCI DSS).
Subprocessors
The third parties that may process your data to provide the service. Optional channels only apply if you enable them.
| Subprocessor | Purpose | Data processed | Location |
|---|---|---|---|
| Anthropic | LLM inference (Claude) | Task instructions, messages, and context you send to a teammate | United States |
| Daytona | Sandbox compute for agent runs | Run code, uploaded files, and tool input/output during execution | United States |
| DigitalOcean | Cloud hosting and database | All platform data stored at rest | United States |
| Stripe | Payments and billing | Billing contact and tokenized payment method (we never store card numbers) | United States |
| Resend | Transactional email delivery | Recipient email address and notification content | United States |
| Composio | Third-party integration brokerage | Connection metadata and OAuth tokens for apps you connect | United States |
| OpenAI | Teammate setup assistance | Task descriptions used to draft a teammate's instructions | United States |
| PostHog | Product analytics (consent-gated) | Usage events and page views, only after you accept analytics cookies | United States |
| Sentry | Error monitoring | Error traces and request metadata (redacted of secrets) | United States |
| OAuth sign-in and connected APIs | Account identifiers and the data you authorize (e.g. Google Ads) | United States | |
| Twilio | SMS and phone numbers (optional) | Phone number and message content, only if you enable SMS | United States |
| BlueBubbles | iMessage bridge (optional, self-hosted) | iMessage content routed through a bridge you host and control | Self-hosted by you |
What's next
Security features actively on our roadmap. Ask us about timelines if any are a requirement for your team.
- SSO / SAML and SCIM provisioning
- Multi-factor authentication (MFA)
- Self-serve data export and account deletion
- Customer-facing audit-log export
Report a vulnerability
Found a security issue? Please do not open a public issue. Email support@m8tes.ai with details and steps to reproduce. We acknowledge reports within 48 hours. For data, privacy, or DPA requests, contact privacy@m8tes.ai. See our Privacy Policy and Terms for full details.