Trust Center
Security, privacy, and the controls behind the platform.
AI utilization is some of the most sensitive data an enterprise has.
This is how we protect it — our attestations, our controls, and the documentation your security team needs to move forward.
Our Commitments
Four promises behind every deployment.
Security as a product principle
Security is not a compliance checklist. It's a design constraint on every feature we ship — from the data model to the UI.
Transparency by default
Every audit trail, assumption, and data flow is documented. If you ask where a number came from, we can trace it to the source.
Least privilege everywhere
Row-level security, scoped API tokens, and narrow service roles. No human or system has access it doesn't need to do its job.
Your data stays yours
Customer data is never used to train shared models. Organization-anchored isolation ensures your numbers never leak across tenants.
Attestations & Frameworks
The audits, standards, and regulations we align to.
Current status for each framework.
Full documentation and reports are available under mutual NDA on request.
SOC 2 Type II
Pursuing · Report Coming Soon
Independent audit of our security, availability, and confidentiality controls over a twelve-month observation window.
ISO 27001
Pursuing · Report Coming Soon
Information security management system aligned to the ISO 27001:2022 control set. Certification audit scheduled for 2026.
GDPR
Compliant
Data Processing Agreement available on request. Standard Contractual Clauses for EU and UK transfers. Full subject rights workflow.
CCPA / CPRA
Compliant
California privacy rights honored for every applicable data subject. Documented retention, deletion, and opt-out workflows.
Security Practices
How we operate the platform.
Encryption in transit and at rest
TLS 1.3 for every request. AES-256 for data at rest, including database storage, backups, and object storage.
Multi-tenant architecture with strict isolation
Multi-tenant architecture with row-level security on every table. Per-tenant integration workflows and credentials guarantee your AI utilization data is logically isolated and never flows across customer boundaries.
SSO, SAML, and SCIM
Enterprise identity on day one. Okta, Entra ID, Google Workspace, and any SAML 2.0 IdP. SCIM provisioning available on the Umbral Intelligence Lite plan and higher.
Change management
Every code change is peer-reviewed, tested, and deployed through an audited pipeline. Production access is logged, time-boxed, and approved.
Vulnerability management
Continuous dependency scanning, automated SAST on every pull request, and an annual third-party penetration test with remediation SLAs.
Backups and disaster recovery
Point-in-time recovery on the primary database. Cross-region encrypted backups. Tested RTO of four hours and RPO of fifteen minutes.
Documentation
What your security team can request.
The documents below are shared under mutual NDA.
Most requests are turned around within one business day.
Responsible Disclosure
Found a vulnerability? We want to hear about it.
Umbral Intelligence operates a coordinated disclosure program. Report suspected vulnerabilities directly to our security team. We acknowledge every report within one business day, and we won't pursue legal action against good-faith researchers who abide by our program rules.
security@umbral.nimbus-minds.comQuestions for our security team
We'll answer them in detail.
Enterprise security reviews are a first-class workflow for us.
Send us your questionnaire, your architecture concerns, or just an email — we respond with the full picture, not a marketing summary.