Trust Center
Last updated: 2026-05-26
This page is the single source of truth for where Mycelium stands on the certifications, audits, and procurement evidence a Fortune 100 buying committee asks for. Every status row carries an explicit timeline. Nothing on this page is aspirational without a date.
1. Where we are
| Certification | Status | Target | Last verified |
|---|---|---|---|
| SOC 2 Type II | Engagement starting Q2 2026 | Type II report Q4 2026 after 6-month observation window | Engagement letter pending |
| HIPAA + BAA-ready | Risk assessment + technical safeguards documented; BAA template available | Active by Q3 2026 | 2026-05-04 |
| GDPR + DPIA | DPA published, DPIA template available | Active | 2026-05-04 |
| Penetration test | Tier-1 firm engagement starting Q2 2026 (Bishop Fox, NCC Group, or Trail of Bits, final selection pending) | Annual report under NDA Q3 2026 onwards | Engagement RFP in flight |
| ISO 27001 | On roadmap | Q1 2027 if European F100 demand materializes | Roadmap |
| FedRAMP Moderate | On roadmap; required for federal AI memory layers by 2027 per government memo | Q4 2027 | Roadmap |
| BYOK + per-tenant encryption keys | Customer-managed encryption keys on Enterprise tier; namespace-level scoping reserved for Hyperscale custom installs | Active (Enterprise); Hyperscale on-deal | 2026-05-26 |
| Deployment isolation | Shared-tenant default with RLS plus per-tenant audit log plus per-tenant rate limits; single-tenant available on Hyperscale custom installs | Active (shared-tenant); Hyperscale on-deal | 2026-05-26 |
2. How to read this page
This page is updated whenever a status changes. Every row carries a date or an explicit timeline. Items without a date are roadmap items, named as such. Nothing here is aspirational without a target. If the page is more than thirty days old, write to contact@mycelium-ai.co for the current state.
3. Data residency
- Default region: United States (Fly IAD)
- European region (Fly CDG): available on Enterprise and Hyperscale tiers on request
- Customer data does not leave the customer’s selected region except by explicit customer request, for example cross-region failover during a declared outage with customer consent
- Audit log replication: within-region only; the audit chain is never replicated cross-region
The residency posture for a specific tenant is enforced at deployment time. Procurement teams running EU-residency or US-only workloads can request the residency clause in writing against the DPA before signing.
4. Audit cadence
- Internal vulnerability scans: monthly
- Dependency audit: weekly via Dependabot
- Access review: quarterly
- Backup restore drill: quarterly
- Tabletop incident-response exercise: semi-annually
5. Incident response
- Detection: PostHog, Vercel, and Sentry alerts
- First response within one business hour
- Customer notification within 24 hours of a confirmed incident
- Postmortem published to /trust/postmortems within 14 days
- Postmortem covers root cause, fix, and the monitoring change made afterwards
6. Security contacts
- Vulnerabilities: security@mycelium-ai.co
- Data subject requests: privacy@mycelium-ai.co
- General procurement questions: contact@mycelium-ai.co
7. Subprocessors
The current canonical subprocessor list lives in our Data Processing Addendum under Section 3. We will move to a standalone /subprocessors page if the list grows beyond six entries. Until then, the DPA is the single source.
8. Documents available on request
Mycelium · founded 2026