Security & Trust
Last updated: 24 June 2026
CerebrumX connects to the tools your team already uses and turns your conversations into a searchable company memory. That means you're trusting us with sensitive data — so this page explains, in plain terms, exactly what we access, how we protect it, who else touches it, and the controls you keep.
What we access — and what we never do
- Read-only. Every integration uses read-only access. We never post, send, reply, delete, or change anything in your tools.
- Only what you choose. You pick exactly which Slack channels, mailboxes, or sources we read. Nothing is connected without you explicitly choosing it.
- Connected on your terms. You can disconnect any integration at any time, which immediately stops all future access.
How your data is handled
- We read the conversations you connect, and an AI model extracts the decisions, action items, and key facts from them.
- Those become searchable "memories" stored in your own isolated workspace.
- Each workspace is separated at the database level (Row-Level Security), so no workspace can ever see another's data.
- You can delete any memory, or your entire workspace, at any time — deletion is immediate and permanent.
Our security practices
- Encryption in transit: all traffic served over HTTPS/TLS.
- Encryption at rest: data stored in Supabase (AES-256 at the storage layer).
- Workspace isolation: Row-Level Security ensures workspaces cannot access each other's data.
- Authentication: Supabase Auth with securely hashed passwords. Two-factor authentication (TOTP) is on our near-term roadmap.
- Integration tokens: read-only OAuth scopes only, held in an access-restricted store. Column-level encryption of access tokens is rolling out.
- Payments: processed by Stripe (PCI-DSS Level 1); we never see or store card numbers.
- Monitoring: errors and anomalies monitored via Sentry.
- Backups: daily database backups with point-in-time recovery.
We're an early-stage company and we believe in being straight about it: we are not yet SOC 2 certified, and we won't claim certifications we don't hold. We're happy to talk through our practices directly with your security team.
Subprocessors
We use a small number of trusted providers to run the service. We don't sell your data, and we never use it for advertising.
| Provider | Purpose |
| Supabase | Database, authentication & storage (hosted on AWS) |
| Anthropic (Claude) | AI extraction of decisions/actions from your text. Per Anthropic's API terms, your data is not used to train their models. |
| Vercel | Application & API hosting |
| Stripe | Payment processing |
| Resend | Transactional email (invites, reports) |
| Sentry | Error monitoring |
Your controls, in one place
- Choose exactly what we connect to — and start with a single channel if you prefer.
- Disconnect any integration instantly.
- Delete any memory, or everything, whenever you want.
- Export your workspace data on request.
Reporting a vulnerability
Email: support@cerebrumx.org with a subject line starting "SECURITY:"
Please include reproduction steps, the affected URL or endpoint, and the impact you believe the issue has.
We acknowledge every report within 48 hours and aim to resolve confirmed issues within 30 days. Critical issues (data exposure, account takeover, payment bypass) get immediate attention.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will not pursue legal action against you, as long as you:
- Only access accounts you own or have explicit permission to test
- Don't exfiltrate more data than necessary to prove the issue
- Don't modify or delete other users' data
- Don't publicly disclose the issue before we've had reasonable time to fix it
- Comply with all applicable laws
Contact
Security & privacy questions: support@cerebrumx.org