Security

Built right, from day one.

Neuron is engineered with the assumption that your company's knowledge is among its most sensitive data. Isolation, encryption, and audit are not features, they're defaults.

TLS 1.3 + AES-256SOC 2 in progressSSO ready

Encryption

  • All data encrypted at rest using AES-256 (Postgres, Pinecone, S3).
  • All data in transit over TLS 1.3 with HSTS preload.
  • Customer encryption keys (CMK) optional on the Enterprise plan.
  • Secrets at rest in AWS KMS, rotated automatically every 90 days.

Isolation

Every workspace is a logical tenant. Each row in our database carries a mandatory workspace_id with a NOT NULL constraint; every query is parameterized with the authenticated session's workspace ID. Cross-workspace reads are impossible at the database layer, not just at the application layer.

Vector store isolation

Embeddings live in workspace-scoped Pinecone namespaces. There is no cross-namespace query path.

Authentication

  • Human auth via Clerk, email + Google OAuth on starter plans, SAML SSO on enterprise.
  • API auth via workspace-scoped keys validated with timing-safe comparison.
  • Session tokens rotate every 7 days; long-lived API keys can be revoked instantly.

MCP / agent access

Agents authenticate via the same API keys as humans, scoped per workspace. Each key can be marked read-only, preventing save_decision calls. Every MCP tool call is logged with the calling key's identity for audit.

Audit log

Every read, write, source-connect, and key-generation event is logged. Audit is queryable in-app and exportable as CSV/JSON. Logs are immutable, retention 7 years for enterprise accounts.

Self-host (Enterprise)

Neuron can be deployed inside your VPC on AWS or GCP. Same product, your hardware, your data. Includes:

  • Terraform modules for AWS (EKS) and GCP (GKE).
  • BYO encryption keys (KMS / Cloud KMS).
  • Air-gapped option, no outbound calls to neuron.so.
  • BYO LLM provider, Bedrock, Vertex, Azure OpenAI, or your own.

Vulnerability disclosure

We run an active bug-bounty via security@neuron.so. Reproducible vulnerabilities get a response within 48 hours. We do not pursue legal action against good-faith research.

Sub-processors

  • AWS, hosting & storage.
  • Clerk, human authentication.
  • Pinecone, vector storage.
  • OpenAI / Anthropic, LLM inference (under DPA, zero training).
  • Resend, transactional email.

Security reports & DPA requests: security@neuron.so. SOC 2 Type 2 report available under NDA when complete (Q1 2027).