Mentomy's P.A.S.S. Policy

Privacy: Your Data, Always Confidential.

Mentomy's entire software architecture and infrastructure is built with privacy as a core principle. We ensure your information remains confidential and fully under your control.

• Isolated Workspaces: Every client operates within a dedicated, isolated environment. Your sensitive data never co-mingles with others.
• Built-in Privacy by Design: From initial upload to AI interactions, our processes minimize data exposure and maximize confidentiality.
• No AI Training: Mentomy never uses your data to train proprietary or third-party foundation models.
• Complete Control Over Retention: You dictate how long your knowledge base is retained. All folders and files are temporarily stored on secure EU cloud servers (solely for visualization and query sourcing). Upon deletion, they are immediately and permanently erased from Mentomy’s servers without a trace.

GDPR Compliance and Data Subject Rights:

Mentomy fully supports all data subject rights under GDPR, including:

• Right of access
• Right to rectification
• Right to erasure (“right to be forgotten”)
• Right to data portability
• Right to object and restrict processing

Mentomy maintains a robust internal incident response policy. In the unlikely event of a data breach involving personal information, we will notify affected parties within 72 hours in accordance with GDPR Article 33.

Access Control: Information Only for Those Who Need It.

Mentomy empowers you with granular control over information access within your AI system. We ensure your AI assistant adheres strictly to your organizational permissions, preventing unauthorized data exposure.

• Role-Based Access Control (RBAC): Define precise roles and assign specific data access permissions based on those roles. This ensures users only retrieve information relevant to their duties, significantly reducing the risk of internal misuse.
• Fine-Grained Authorization: Beyond basic roles, we offer capabilities for dynamic authorization based on context and user attributes. This means your AI will only provide answers that a specific user is authorized to see, adapting to complex organizational hierarchies.
• Comprehensive Access Logging: We meticulously log all access to sensitive data, detailing who accessed it, when, and what operations were performed. This provides full auditability and a clear trail for compliance and security monitoring.

Security: Protecting Your Critical Assets.

Your data's security is our highest priority. Mentomy implements cutting-edge security measures to safeguard your information at every stage, from network communication to session management and prompt handling.

• Strong Encryption: All your data is protected with robust, industry-standard encryption protocols, both in transit (e.g. using HTTPS/TLS and AES-256) and at rest (e.g. using the encryption standard AES-256).
• API Authentication and Signature: Every API request contains a unique token and a cryptographic signature (e.g. using HMAC). These elements verify that the request originates from an authorized source and has not been tampered with while in transit.
• Continuous Monitoring & Auditing: Our systems are constantly monitored for vulnerabilities and suspicious activity. We maintain full auditability to provide transparency and accountability, proactively identifying and mitigating threats.

Prompt & Session Security:

• Prompt Sanitization: Mentomy intelligently sanitizes every user question to prevent prompt injection (i.e., malicious instructions inserted into prompts that could manipulate AI behavior).
• Language Filters: We apply advanced language filters to detect and block offensive or inappropriate expressions, maintaining a professional interaction environment.
• Session Timeout: An automatic session timeout feature closes idle user sessions after a predefined period, significantly reducing the risk of unauthorized access if a device is left unattended.

Sovereignty: Your Data Never Leaves the EU. Period.

We understand that for many businesses, especially those within the European Union, the geographical location of data is paramount. At Mentomy, we offer an unwavering commitment: your data, whether in transit or at rest, is exclusively processed and stored within the European Union's borders. It never leaves the EU zone—ever.

• Exclusive EU Data Residency: Your knowledge base and all associated data are hosted solely on highly secure infrastructure located within the European Union. This isn't just a preference; it's a fundamental architectural principle.
• Uncompromising GDPR Adherence: By keeping all data within the EU, we naturally ensure strict and continuous adherence to the most stringent data protection standards, including GDPR and all relevant local data residency requirements. This simplifies your compliance burden significantly.
• Operational Control: We provide the necessary assurances and robust controls for you to maintain operational sovereignty over your AI workloads. This includes transparent limitations on personnel access based on predefined attributes and strict internal policies.