Security at Mentis

Built to survive your own diligence.

A data room holds a company’s most sensitive material — financials, cap tables, contracts, board minutes. So we wrote our security posture the way you’d want it in a deal: terms first, verifiable, no adjectives doing the work.

The commitments
Training

Your deal flow stays your edge

Documents, questions, and memos in your data rooms are never used to train AI models — ours or our providers’. Nothing you upload improves anyone else’s product.

Encryption

Encrypted end to end

All traffic runs over TLS. Documents, embeddings, and integration tokens are encrypted at rest — tokens with an additional application-level layer.

Isolation

One room, one boundary

Every question, memo, and analysis is scoped to a single data room. Content from one room cannot surface in another, or in another customer’s account.

Access

Least-privilege by default

Google Drive, Notion, and meeting-notes connections request the narrowest OAuth scopes that work, and you can revoke them at any time.

The lifecycle

Where your data lives, stage by stage.

  1. UploadTLS 1.2+

    Every connection to Mentis — browser, API, and integration syncs — runs over HTTPS. Unencrypted requests are not accepted.

  2. StorageAES-256

    Documents and generated embeddings are stored encrypted at rest. Integration OAuth tokens are additionally encrypted before storage.

  3. AnalysisScoped retrieval

    Retrieval and generation are scoped to the data room you are working in. Model providers process your content to answer your question and are contractually barred from training on it.

  4. SharingOwner + invited

    A data room is visible only to its owner and the teammates they explicitly share it with. There is no cross-account access path.

  5. DeletionImmediate

    Deleting a data room removes its documents, analysis, and embeddings from active systems. Full account deletion is honored within 30 days.

Compliance

SOC 2

Mentis is SOC 2 compliant. Our controls — access management, encryption, change management, and vendor review — are held to the SOC 2 Trust Services Criteria for security, availability, and confidentiality.

Google API Limited Use

Our use of Google user data adheres to the Google API Services User Data Policy, including the Limited Use requirements. Drive data only powers the features you request — never model training, never resale.

Deletion rights

Delete any data room — documents, analysis, and embeddings included — at any time from your dashboard. Full account deletion is honored within 30 days, as described in our privacy policy.

Subprocessors

The infrastructure that processes customer data. Providers you connect yourself — Google, Notion, meeting-notes tools — only receive data when you link them.

ProviderPurposeSafeguard
AnthropicAI analysis and memo generation (Claude)No training
OpenAIDocument embeddings for searchNo training
PineconeEncrypted vector search indexPer-room isolation
Amazon Web ServicesDocument storage (S3)Encrypted at rest
RailwayApplication hosting and databaseEncrypted at rest

Ask us the hard questions.

Vendor reviews, security questionnaires, or something you think we should know — security reports get a same-day human response.

Contact security
Join the waitlist