Security
You are trusting us with your inbox and your books. We take that seriously.
Medulla AI handles email, financial records, and compliance filings - exactly the data you would not give to just anyone. Here is the architecture, the policies, and the disclosure channel.
Encryption everywhere
All data is encrypted at rest using AWS-managed keys (S3, RDS, DynamoDB defaults) and in transit via TLS 1.2+. OAuth tokens for Gmail/Outlook are encrypted at the application layer in addition to the storage default.
Tenant isolation by default
Each customer's data lives in logically isolated database namespaces. No cross-tenant queries possible by design. Documents in S3 are stored under per-tenant prefixes with bucket policies that prevent cross-account access.
NeMo Guardrails on every LLM call
NVIDIA NeMo Guardrails sits in front of all language model calls. PII redaction (account numbers, PAN, GSTIN) before content reaches the model. Hallucination control on financial answers. Jailbreak prevention.
Least-privilege access
Gmail and Outlook OAuth scopes are read-only on the user's mailbox plus restricted send. Drive scopes are limited to the tenant's own folder tree. We never request "act on your behalf" beyond what each capability requires.
Audit logs
Every model call, every document write, every compliance update is logged with timestamp, actor, and tenant context. Available to customers on request and to auditors on signed NDA.
Responsible disclosure
Found a vulnerability? Email security@usemedulla.ai. We will acknowledge within 48 hours, fix critical issues within 14 days, and credit you publicly if you would like.
Compliance roadmap
We are pre-revenue and have not yet pursued formal certifications. The plan:
- →Phase 1 (now): documented internal policies, AWS-managed encryption, tenant isolation by design, NeMo Guardrails in production
- →Phase 2 (year 1): SOC 2 Type 1 readiness, India DPDP compliance review, vendor security questionnaires
- →Phase 3 (year 2): SOC 2 Type 2, GDPR-aligned controls for global expansion, ISO 27001 if customer demand drives it
Reach security@usemedulla.ai for vulnerability reports or detailed architecture conversations.