# Sample IT and legal approval memo for the Mycelium workspace connector

This template helps you, the workspace admin, prepare an internal memo for your IT and legal teams BEFORE you click "Connect" on a company Google Workspace, Slack, Notion, or similar OAuth flow in Mycelium.

Copy the template below, fill in the [BRACKETS] with your company specifics, and send it to your IT and legal contacts for written approval. Then return to Mycelium and complete the install.

Last updated: 2026-05-26. Authoritative source: https://mycelium-ai.co/security.

---

## 1. Subject

Request for IT and legal approval: connecting [YOUR COMPANY] tools to Mycelium AI workspace memory.

## 2. Executive summary

[YOUR COMPANY] is evaluating Mycelium AI, a multi-tenant company-memory layer that connects to our existing collaboration and knowledge tools and provides a unified search and AI-assisted retrieval surface for our team.

To complete the install, an admin (me) needs to authorize Mycelium to read from [LIST CONNECTORS BELOW]. Before I do, I am asking IT and legal to review the connector scopes, the data-handling commitments, and the audit status, and to confirm that we have the legal authority to ingest the content listed below.

This memo summarizes what Mycelium ingests, what it skips, how data is stored, how it is shared, and what commitments Mycelium has codified.

## 3. Connectors I am proposing to authorize

For the launch install at [YOUR COMPANY], I am proposing to connect:

- [ ] Company Google Workspace (Gmail, Drive, Calendar)
- [ ] Company Slack workspace
- [ ] Company Notion workspace
- [ ] Company GitHub organization
- [ ] Other: [LIST]

I am NOT proposing to connect:

- [ ] [LIST anything explicitly held back, e.g. legal Confluence, finance Drive, executive Slack channels]

## 4. What Mycelium ingests by default per connector

Mycelium ships smart-default filters per source. The defaults below ingest the content most useful for a working knowledge base while explicitly skipping low-signal or sensitive content. The workspace admin can tighten the defaults further on a per-source basis.

| Source | Ingest by default | Skip by default |
|---|---|---|
| Gmail | Sent emails + received emails the user replied to + last 12 months | Newsletters, marketing automation, automated alerts, spam |
| Slack | Channels the user is an active member of + DMs + @mentions of the user + last 12 months | Lurker channels the user has not posted in, bot messages, join and leave notifications |
| Notion | Pages the user has edited or created + team docs the user has access to | Pages the user only viewed, archived pages |
| Google Drive | Docs, sheets, slides the user authored or edited + last 12 months | Files over 100MB, files only shared with the user that the user has never opened, trash |
| Calendar | Events the user attended or organized + attendees + attached notes | Events the user declined, recurring all-hands the user never engages with |
| GitHub | Repos the user committed to + issues the user created or commented on | Repos the user only starred |

Admin-level overrides:

- Slack: channel allowlist or blocklist. Admin can exclude #execs, #hr, #legal.
- Google Drive: per-shared-drive and per-folder allowlist. Admin can exclude /finance, /legal, /exec.
- Notion: per-workspace and per-database allowlist. Admin can exclude private founder pages.
- GitHub: per-repo allowlist. Admin can exclude security-sensitive repos.
- Calendar: per-user opt-in. Admin can flip to opt-in per user instead of org-wide.

## 5. Encryption

- Credentials and refresh tokens: encrypted at rest at the storage layer using AES-256.
- Customer content at rest: AES-256, Postgres-managed.
- In transit: TLS 1.3 at the public boundary.
- Per-tenant encryption keys (BYOK): available on the Mycelium Enterprise tier; key rotation via the admin API.

## 6. The eight trust commitments Mycelium ships

1. **Credentials encrypted at rest.** OAuth tokens, refresh tokens, and API keys are encrypted at rest at the storage layer.
2. **Disconnect equals delete within 24 hours.** When the workspace admin disconnects a connector, the data ingested from that source is removed within 24 hours.
3. **Never used for training.** Customer content is never used to train any AI model. Codified in the Mycelium Terms of Service.
4. **BYO inference.** Customer content never reaches a Mycelium-controlled inference endpoint unless the workspace explicitly opts into Hosted Pass-Through. Default is BYO subscription.
5. **Pause sync.** A one-click toggle pauses ingestion across all sources without disconnecting them. Useful for litigation holds, M and A windows, and internal investigations.
6. **Audit log at Team and Enterprise.** Every search query and every AI invocation is logged with timestamp, actor identity, source IP, and the query payload. Exportable on demand.
7. **Personal layer private at Team.** Workspace members can connect personal sources (personal Gmail, personal Notion, etc.) on top of the company brain. The personal layer is private to that user: admins cannot see it, other team members cannot see it, and it does not feed the company brain.
8. **Third-party security audit + SOC 2 Type II in progress.** Mycelium has commissioned a third-party security audit and is running a SOC 2 Type II observation period. Both ship before the first paying customer onboards.

Authoritative source for the eight commitments: https://mycelium-ai.co/security.

## 7. Audit status

- Third-party security audit firm: [in vendor selection; published at https://mycelium-ai.co/security#audit-status when signed]
- Third-party audit kickoff date: [pending vendor selection]
- SOC 2 Type II observation period start: [pending]
- SOC 2 Type II certification: NOT yet certified. Mycelium does not claim "SOC 2 certified" until the SOC 2 Type II report is in hand. The badge on the Security page reads "in progress" during the observation period.

## 8. Subprocessors

The current Mycelium subprocessor list is published at https://mycelium-ai.co/subprocessors. Mycelium commits to 30 days advance written notice before adding a new subprocessor, with a right of objection during the notice period. Material security failures by a subprocessor are disclosed to customers within 24 hours.

## 9. Data residency

US and EU options on Vercel + AWS-backed deployments. Region pinning configurable per tenant on the productized runtime. Default region: US. Specify if your legal posture requires EU pinning: [YES / NO].

## 10. Data Processing Addendum

The Mycelium DPA is published at https://mycelium-ai.co/dpa. Mycelium signs the DPA as a Processor under GDPR / UK GDPR / CCPA / LGPD. Sub-processor list and notification cadence are in the DPA.

## 11. Departing-employee flow

When the workspace admin removes a user from the workspace:

1. The user's personal-layer content is exported to them within 7 days (downloadable archive).
2. After 7 days, personal-layer content is deleted from Mycelium.
3. The company brain stays intact. The data lived in Slack, Notion, Drive, etc. first; removing it from Mycelium would orphan the company's knowledge.
4. Audit log entries from that user are retained for compliance (default 12 months at Team, extendable at Enterprise).
5. SSO and auth credentials are revoked immediately. No grace period.

## 12. Questions to ask Mycelium

Recommended questions for your IT and legal teams to confirm with Mycelium in writing:

- What is your current DPA version? When was it last updated?
- Have you completed any independent security audits? If yes, can we see the executive summary under NDA?
- What is your incident response SLA from discovery to customer notification?
- Where does our data physically sit? Which AWS regions, which Vercel regions?
- What is your subprocessor disclosure cadence?
- What is your vulnerability disclosure policy and how do we report a finding?
- Can we negotiate a contractual cap on retention of audit-log records?
- What happens to our data on contract termination?

The answers to most of these are public at https://mycelium-ai.co/security, https://mycelium-ai.co/dpa, https://mycelium-ai.co/privacy, and https://mycelium-ai.co/subprocessors. Confirming in writing as part of the engagement letter is the recommended path.

## 13. Recommended next steps for IT and legal

1. Review the connector scope list in Section 3 above and confirm the admin (me) has the legal authority to authorize ingestion at the scope proposed.
2. Review the eight commitments in Section 6 and confirm any additions or carve-outs the company needs.
3. Review the DPA at https://mycelium-ai.co/dpa and flag any gaps relative to [YOUR COMPANY]'s standard processor terms.
4. Decide on data-residency region (US default, EU available).
5. Decide on storage cap and audit-log retention window if you need a deviation from defaults.
6. Approve in writing. I will hold off on connecting until I have your approval.

If any line in this memo is not honest or is unclear, please tell me before I proceed. Mycelium's commitment is to be honest about what is ingested and skipped, not to overpromise. If a question here is not answered in writing, that is a reason to delay the install, not a reason to wave it through.

## 14. Contact

- Workspace admin (me): [YOUR NAME], [YOUR EMAIL]
- Mycelium privacy contact: privacy@mycelium-ai.co
- Mycelium security contact: security@mycelium-ai.co
- Authoritative Security page: https://mycelium-ai.co/security
- Authoritative Privacy policy: https://mycelium-ai.co/privacy
- Authoritative Data Processing Addendum: https://mycelium-ai.co/dpa

---

*This template is published by Mycelium AI under the same terms as the rest of mycelium-ai.co. You are free to copy, modify, and use it for your own internal IT and legal approval process.*
