Trust & Security
Procurement-oriented summary for security and operations reviewers integrating the Context API. Pair this page with our Privacy Policy, Terms, hosted OpenAPI reference, and security.txt. It complements a negotiated agreement — see Track A contracting placeholders.
API maturity and roadmap
Maturity: Preview. The Context API is in preview for Track A integrators — versioned OpenAPI, documented limits, and predictable error payloads. When we promote to beta or GA we will label that transition here and in /docs/api. Until then, changes appear in versioning and changelog.
Review what is shipping now and what is next in /docs/api (versioning and changelog sections).
Encryption and infrastructure
Traffic uses TLS in transit; structured workspace data is encrypted at rest by our database and hosting providers. Raw uploads are processed for extraction; retention follows the flows in our Privacy Policy.
Application workloads run on Railway; persistent data and authentication run on Supabase (PostgreSQL). Both vendors publish security programs — use their trust centers when reviewers ask for vendor attestations.
Tenant isolation and API access
Workspaces are isolated at the data layer with row-level security. Context API keys are scoped capabilities tied to a workspace; administrative routes use separate member-session controls documented in OpenAPI.
Customer APIs return graph and ingest outcomes only for the workspace you authorize.
AI processing
Model providers process prompts necessary to deliver features under their agreements. Neither does not use your workspace content to train proprietary models. Sub-processors used for AI and hosting are listed on our sub-processors register.
Audit logging, backups, and assurance posture
APIs return correlatable request identifiers so operators can trace incidents without pasting secrets into tickets. Activity in product UIs reflects what the service exposes for operator review — ask support@neither.online for procurement questionnaires that need field-level retention wording.
Database backups follow cloud-provider defaults for recovery; RPO/RTO targets are best-effort pilot targets unless a signed enterprise schedule says otherwise.
Our infrastructure vendors maintain SOC 2-aligned programs and publish their own reports. Unless we announce an independent Neither SOC 2 report, request vendor attestations and our answers via sales or support.
Vulnerability disclosure
Report suspected vulnerabilities through the contact published in /.well-known/security.txt. Please allow a reasonable window to respond before public disclosure.
Sub-processors, residency, and portability
A procurement-oriented register of sub-processors, data flows, residency choices, export paths, and network-edge posture lives alongside our Privacy Policy — see Sub-processors, Data flows, Residency and portability, and Network controls.
Pilot availability and incidents
Track A pilots use best-effort operational targets unless a signed order form states otherwise. For operational questions or suspected outages, contact operations via email (a separate buyer status website is building toward launch).
When incidents affect multiple tenants, we notify impacted workspace contacts with what we know, what we are doing, and what we need from integrators.
Performance posture and payload limits
Rate-limit classes, headers, and representative error payloads are documented in OpenAPI. Treat documented limits as integration targets; they may evolve as we observe production traffic. Use /docs/api for numeric guarantees.
Secure API keys and data minimization
Store Context API keys in secret managers, rotate after personnel changes, prefer scoped keys, and never embed keys in client-side code or public repos. Redact bearer tokens in your logs.
Send the minimum payload necessary for ingest — structured excerpts beat dumping entire mail stores. Combine minimization with export and deletion flows in our Privacy Policy.
Accessibility and public proof
We publish an honest accessibility posture and WCAG-aligned remediation is ongoing for customer-facing surfaces. Contact support if procurement requires a VPAT-style questionnaire — we answer against actual product behavior.
Buyer-facing benchmarks or case studies ship when they are measured and repeatable. Until then, evaluate via guided pilots — contact sales to schedule a technical proof aligned with your data boundaries.
Infrastructure snapshot
Railway hosts application tiers in supported regions; Supabase hosts PostgreSQL and Auth with configurable regions where the product allows. Cite vendor regions tied to the workspace you provision — ask during onboarding for written region confirmation for a specific pilot workspace.