Security and compliance you can verify
Transparency is a feature. Here's exactly how we protect your data, which frameworks we support, and who processes your information.
Compliance Roadmap
Current compliance status and roadmap
SOC 2 Type II
AICPA
PlannedGDPR
EU Data Protection
Designed ForHIPAA
HHS
Designed ForPCI-DSS
PCI Security Standards Council
Via Stripe (SAQ-A)Frameworks We Design For
Muin is designed to help you meet these regulatory requirements
SOC 2
Trust Services Criteria — Designed For (certification planned)
GDPR
General Data Protection Regulation — Designed For
ISO 27001
Information Security Management System — Designed For (not yet certified)
HIPAA
Health Insurance Portability and Accountability Act — Designed For (no BAAs currently offered)
PCI-DSS
Payment Card Industry Data Security Standard — Via Stripe (SAQ-A)
NIST CSF
Cybersecurity Framework — Designed For (risk-based approach)
"Designed For" means Muin's architecture follows the framework's technical requirements. We do not currently offer Business Associate Agreements (BAAs) for HIPAA. SOC 2 Type II certification is planned. Contact us for details on specific compliance requirements.
Security Practices
How we protect your data at every layer
Encryption
AES-256 encryption at rest, TLS 1.3 in transit. All data encrypted before storage.
Access Control
Role-based access control (RBAC) with multi-tenant isolation. Users only see their organization's data.
Private AI Processing
Powered by AWS Bedrock. Your data is never used to train AI models and is never retained after processing.
Monitoring & Logging
Comprehensive audit logs for all platform activity. Real-time monitoring with anomaly detection and security alerting.
Sub-Processors
Third-party services that process data on our behalf
| Provider | Purpose | Compliance |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, AI processing (Bedrock) | SOC 2, ISO 27001, HIPAA, PCI-DSS |
| Stripe | Payment processing | PCI-DSS Level 1, SOC 2 |
| Plaid | Bank account verification | SOC 2, CCPA |
| Twilio | SMS and WhatsApp messaging | SOC 2, ISO 27001 |
Data Residency
All customer data is stored in the United States on AWS infrastructure. Enterprise plans can request dedicated data residency in specific AWS regions.
Primary Region
US East (Virginia)
Backup Region
US West (Oregon)
AI Processing
US East (AWS Bedrock)
Incident Response
Preparing for ProductionOur monitoring infrastructure is live and actively protecting the platform. Runbooks and escalation procedures are being formalized as we prepare for production launch.
Detection
Prometheus alert rules across API health, database, workers, security, and rate limiting. Health check endpoints with real-time readiness probes.
Active now
Response
Runbooks in development for P1-P4 severity levels covering service outages, database issues, and security incidents. Escalation contacts and procedures being formalized.
In progress for launch
Notification
72-hour GDPR breach notification commitment. Pre-written notification templates ready. Public status page will launch alongside production.
Status page planned for production
Have security questions?
We're happy to complete your security questionnaire, provide additional documentation, or schedule a security review call.
See also: Security & Privacy | Privacy Policy | System Status