Trust

Security at MLtitude

Last updated · 29 April 2026

MLtitude is used to draft material that is often confidential — board updates, commercial proposals, training for regulated industries. We treat your content accordingly. This page describes how we secure the Service today, what we are working on, and how to report a vulnerability.

Bottom line

Customer content is encrypted in transit and at rest, hosted in the European Union, and never used for model training. Production access is limited to a small set of authorised engineers and is logged. We follow established industry security practices and are working toward formal certification.

Where your data lives

Customer content (decks, modules, briefs, files, and account data) is stored on infrastructure provided by Hetzner Online GmbH in Germany. Hetzner operates ISO 27001-certified facilities with 24/7 physical security, biometric access control, and redundant power and cooling. EU data residency is the default for every customer.

Encryption

LayerStandard
In transit (browser ↔ application)TLS 1.3 with strong cipher suites
In transit (between internal services)TLS 1.3 over private networking
At rest (databases)AES-256 with full-volume encryption
At rest (backups)AES-256, encrypted before leaving the database server
PasswordsArgon2id with per-user salt; never stored in plaintext

Access control

  • Production access is limited to a named, small set of MLtitude engineers.
  • Multi-factor authentication is enforced for all production access, both at the SSO and infrastructure layers.
  • SSH access uses hardware-backed keys; password authentication is disabled.
  • Customer support staff cannot read customer content. Access is granted only on explicit, time-bound, audited request.
  • All administrative access to production is logged for at least 12 months.

Application security

  • Authentication uses signed, short-lived sessions with secure cookies.
  • Role-based authorisation is enforced server-side on every request.
  • Dependencies are continuously scanned for known vulnerabilities; critical fixes are applied within 7 days.
  • Code changes go through peer review and automated tests before merging.
  • Secrets are managed through encrypted environment configuration; never committed to source control.

Infrastructure security

  • Application, database, and cache run on private networking, isolated from the public internet.
  • Edge protection (DDoS, bot mitigation, WAF) is provided by Cloudflare.
  • Backups run daily, encrypted, retained for 30 rolling days, and tested for restorability monthly.
  • Patches to the operating system, runtime, and database are applied within standard maintenance windows.

Model provider security

MLtitude uses third-party model providers (currently OpenAI) to interpret briefs and structure content. Our agreements with these providers require zero retention of customer data and prohibit use of customer content for model training. We send only the minimum data needed to fulfil each request.

Incident response

  • We maintain a documented incident response plan and an on-call rotation.
  • In the event of a personal data breach, affected customers will be notified within 72 hours, in line with GDPR Article 33.
  • Post-incident reports are shared with affected customers, including timeline, root cause, and remediation.

Compliance and certifications

We are not currently certifiedagainst SOC 2, ISO 27001, or similar frameworks. We are designing the Service to be compliant with these frameworks as the company matures, and intend to begin formal audit work in the next phase of growth. For customers who require an attested audit today, please reach out and we'll work with you to find an arrangement that fits your procurement process — including third-party penetration tests and detailed security questionnaires.

MLtitude is designed to be compatible with the EU GDPR, the UK GDPR, and India's Digital Personal Data Protection Act 2023. See our Data Processing Agreement for the full picture.

Reporting a vulnerability

If you believe you have found a security vulnerability in MLtitude, please report it responsibly to info@edothsoft.com. Please do not publicly disclose the issue until we have had a chance to investigate and remediate. Full policy is at /trust/responsible-disclosure. We will:

  • Acknowledge your report within 2 business days.
  • Provide an initial assessment within 7 business days.
  • Keep you updated on remediation progress.
  • Credit you publicly (with permission) once the issue is resolved.

Security questionnaires

We're happy to complete vendor security questionnaires for paying customers and active prospects. Email info@edothsoft.com with your questionnaire and we'll typically return a completed copy within 5–10 business days. A pre-filled questionnaire is also published at /trust/security-questionnaire.