Trust & Security Center
Last Updated: March 11, 2026
Security architecture, certifications, data protection measures, and trust documentation for enterprise procurement teams and security reviewers.
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
SOC 2 Type II
Infrastructure
SOC 2 Type II
Database
Certifications & Compliance Status
Bespoke Mentis deploys on Vercel and Neon — both SOC 2 Type II certified. Bespoke Mentis corporate SOC 2 Type II audit: in preparation, target Q4 2026.
Gap assessment complete. Remediation in progress. Target certification: Q1 2027.
ISO 42001 is the AI-specific management systems standard. Gap assessment scheduled for Q3 2026.
Business Associate Agreements are available for covered entities and business associates requiring HIPAA compliance. Contact us to initiate BAA execution before deploying Foresight in a HIPAA-covered environment.
Foresight includes a validation documentation package (URS, FRS, IQ/OQ/PQ templates, 21 CFR Part 11 compliance matrix, audit rights SLA). Bespoke Mentis supports Computer Software Assurance (CSA) processes. Client validation execution is the client's responsibility.
EU AI Act high-risk provisions effective August 2, 2026. Technical documentation in preparation. Foresight identified as requiring full high-risk compliance assessment. Other products assessed as Limited Risk. Enterprise customers requiring EU AI Act documentation contact us.
GDPR-compliant Data Processing Addendum (DPA) available with Standard Contractual Clauses (SCCs) for international data transfers. See /legal/dpa.
Privacy Policy updated March 2026 to include California Consumer Rights section, Notice at Collection on all forms, and Do Not Sell/Share mechanism.
Infrastructure Overview
Cloud provider
Vercel (Powered by AWS) + Neon (PostgreSQL on AWS)
Primary region
United States (us-east-1)
Data residency
United States (default). EU data residency available for enterprise customers — contact us.
Encryption at rest
AES-256 for all data at rest in Neon/Vercel Postgres
Encryption in transit
TLS 1.3 for all connections. HSTS enforced.
Token encryption
AES-256-GCM with unique IV per token (OAuth access tokens for LinkedIn and Gmail)
Database isolation
Per-tenant row-level security and environment isolation. Admin and user data strictly separated.
Access control
Role-based access control (RBAC). Multi-factor authentication required for all admin access. Principle of least privilege enforced.
Backup frequency
Automated daily database backups with 7-day point-in-time recovery (Neon)
Uptime target
Website: 99.9% (Vercel SLA). Enterprise product SLAs defined in Order Forms.
CDN / DDoS protection
Vercel Edge Network with built-in DDoS mitigation
Rate limiting
Applied to all public API endpoints. Configurable per-customer for enterprise deployments.
Security Controls
Application Security
- Admin session management with JWT + database-backed session validation
- CSRF protection on all state-changing endpoints
- Input sanitization and output encoding
- SQL injection prevention via parameterized queries (Neon/Postgres)
- Dependency scanning in CI/CD pipeline
- Security headers (HSTS, CSP, X-Frame-Options)
Access Management
- Multi-factor authentication (MFA) required for all admin accounts
- Session timeout and revocation capability
- Admin access logging with cryptographic evidence chain
- No shared credentials — individual accounts per operator
- API key rotation schedule
- Third-party OAuth tokens encrypted AES-256-GCM at rest
Monitoring & Incident Response
- Security event logging across all services (12-month retention)
- Anomaly detection on admin API access
- Automated alert on failed authentication attempts
- Incident response plan with documented 72-hour GDPR notification SLA
- On-call security escalation path
- Post-incident root cause analysis process
Development Practices
- Code review required before production deployment
- Secrets management via environment variables (never in source code)
- Git repository access controls and audit logging
- Staging environment separate from production
- Automated test suite with security test coverage
- Third-party penetration testing (annual schedule)
Vulnerability Disclosure Policy
Bespoke Mentis welcomes responsible disclosure of security vulnerabilities. We are committed to working with the security research community to identify and address security issues promptly.
In Scope
- bespokementis.com and all subdomains
- Public-facing APIs (api.bespokementis.com and /api/* routes)
- Authentication and session management systems
- Data storage and transmission security
Out of Scope
- Third-party service providers (Vercel, Neon, OpenAI, etc.) — report to them directly
- Denial of service (DoS) testing
- Social engineering attacks on Bespoke Mentis employees
- Physical security
- Client environments or data belonging to other customers
Safe Harbor
Bespoke Mentis will not pursue legal action against security researchers who discover and report vulnerabilities in good faith, provided they: (1) do not access or modify data beyond what is necessary to demonstrate the vulnerability; (2) do not exploit the vulnerability for malicious purposes; (3) report promptly and maintain confidentiality until remediated; and (4) do not engage in denial of service, phishing, or social engineering.
How to Report
Email:
Subject line: "Security Vulnerability Report"
Include: Description of the vulnerability, steps to reproduce, potential impact, and your contact information
Encryption: For sensitive reports, request our PGP key before submission
Response Commitments
- Acknowledgment of receipt: within 3 business days
- Initial assessment and severity classification: within 7 business days
- Regular status updates during investigation
- Public disclosure: coordinated with researcher, typically 90 days after patch availability
- Credit to researchers in our release notes (if desired)
Incident Response & Notification
In the event of a security incident affecting personal data, Bespoke Mentis commits to:
- Detecting and containing incidents through continuous monitoring
- Notifying affected enterprise customers within 72 hours of confirming a breach (GDPR Article 33 requirement)
- Notifying California residents per California Civil Code § 1798.82
- Conducting a post-incident root cause analysis and providing a written summary to affected customers
- Maintaining a record of all security incidents, their scope, and remediation actions
Enterprise customers may request our Incident Response Plan (IRP) document under NDA. Contact with subject line "IRP Documentation Request."
AI Governance
Customer data is never used for AI model training. Bespoke Mentis does not use customer data or conversation content to train, fine-tune, or improve any AI model. Our OpenAI API integration uses default settings that do not include training on API inputs. See our Sub-processors list.
HIPAA Business Associate Agreement (BAA): A HIPAA BAA is available for healthcare clients deploying Bespoke Mentis in covered workloads. Contact info@bespokementis.com with subject "BAA Request."
AI Disclosure: All AI-generated outputs are disclosed to users. See our AI Disclosure.
NIST AI RMF alignment: Our governance framework is designed to align with the NIST AI RMF 1.0. Enterprise documentation available under NDA.
Security Contact
General security inquiries: — subject: "Security Inquiry"
Vulnerability reports: — subject: "Security Vulnerability Report"
Data breach notification: — subject: "Security Incident"
DPA / HIPAA BAA requests: — subject: "DPA Request" or "BAA Request"
SOC 2 report (under NDA): Available Q4 2026 — register interest at — subject: "SOC 2 Report Request"