Security & Trust

Last updated: June 4, 2026

Our security posture

Moistur AI is built so that the access-control and audit foundations enterprises expect are in place from the start. We are transparent about what we have today versus what is still on our roadmap: this page reflects controls that actually run in production, not aspirations. If a control is listed below, it is live.

Compliance status

We are an early-stage company building toward formal certification. We will not claim a certification we do not hold.

  • SOC 2 Type II: In progress. We are not yet certified and a report is not yet available.
  • ISO 27001: On our roadmap; work has not yet started.
  • GDPR, India DPDP, and CCPA: We align our data-handling practices with these regimes. See our Privacy Policy for data rights and transfer safeguards.

Enterprise prospects in active evaluation can request our current security overview and a mutual NDA at support@moistur.ai.

How we protect your data

The following controls run in production today:

  • Encryption in transit and at rest: All traffic is served over TLS, and data is encrypted at rest by our managed infrastructure providers.
  • Tenant isolation: Each customer's data is separated at the database layer using Postgres row-level security, enforced on org-scoped tables.
  • Role-based access control: Granular roles (owner, admin, member, viewer) are enforced at both the application and database layers.
  • Single sign-on (SAML 2.0): Enterprise customers can connect their own identity provider; sessions are validated against the configured provider to prevent bypass.
  • Audit logging: Security-relevant events are written to an append-only audit trail with IP and user-agent provenance. Organization admins can view and export their own logs.
  • Secrets isolation: Service credentials and AI-provider keys are held server-side only and are never exposed to the browser.
  • API key hygiene: Personal API keys are stored only as SHA-256 hashes and are shown to you once, at creation.
  • Verified webhooks: Inbound payment and email webhooks are signature-verified before processing.
  • Monitoring with PII scrubbing: Errors are tracked centrally, with personal data and secrets scrubbed before transmission.
  • Daily backups: Our database is backed up daily by our managed database provider.

Sub-processors

We rely on a small set of vetted providers to operate the Service:

  • Infrastructure: Vercel (USA — hosting) and Supabase (USA — database, authentication, file storage).
  • AI providers: OpenAI, Anthropic, and Google AI, to execute your prompts.
  • Payments: PayPal (USA). We never store full card numbers.
  • Email: Resend (USA), for transactional and bulk email.
  • Error tracking: Sentry (USA), with PII scrubbed before transmission.
  • Product analytics: PostHog (USA).

The authoritative, up-to-date list is maintained in our Privacy Policy. We do not sell your personal information.

Data handling and location

Production data is hosted in the United States on Vercel and Supabase. We retain your data while your account is active and honor deletion requests as described in our Privacy Policy, which also covers data-subject rights and international transfer safeguards. We do not use your proprietary prompts or data to train public AI models.

Reporting a vulnerability

We welcome responsible disclosure. If you believe you have found a vulnerability, please email support@moistur.ai with details and reproduction steps. Please give us a reasonable window to investigate and remediate before any public disclosure, and avoid accessing or modifying data that is not yours.

Machine-readable contact details are published at /.well-known/security.txt.

Moistur AI Private Limited · 2026

Privacy Policy →