Security & Trust
Unabyss is a context layer for AI. It pulls together who you are — your work, your projects, your history across the tools you already use — and makes that context available to the AI tools you choose. That only works if you trust us with the raw material of your professional life. So we treat security as the product, not a feature bolted onto it.
This page explains, plainly, how we protect your data, what we can and can't do with it, and where we are on the formal compliance track.
Your data stays yours
Three principles govern everything we build.
Encrypted, in transit and at rest. All data moving between you, our systems, and your connected apps is encrypted over TLS. Data at rest lives in secure cloud storage with encryption applied. No one browses your data — only your account can read what belongs to you.
Read-only by design. When you connect an app, Unabyss only imports. It cannot post, reply, edit, delete, or take any other action inside your connected tools. The permission model is deliberately narrow: we ask for the least access needed to read your context, and nothing more. This isn't a policy we promise to honor — it's the scope of access we request in the first place.
Yours to delete, any time. You can disconnect any app whenever you want. When you do, we stop importing from it. And you can permanently wipe everything Unabyss has imported. Your context is yours to keep or to erase, on your terms.
We never train on your data
Your context is never used to train models. Full stop.
We use large language models to distill and organize your context, and we route your data to the AI tools you connect. But your data is input to those systems for your benefit — it is never harvested as training data.
How connections work
Every integration is initiated and authorized by you. Nothing connects on its own.
- Connections are established through OAuth where the provider supports it, or through API keys where it doesn't. We never see or store your passwords.
- We request read-only scopes. Unabyss imports context; it does not act on your behalf inside connected apps.
- Disconnecting stops future imports immediately. Previously imported context remains until you choose to delete it — so disconnecting never silently erases what you've built, and deleting is always in your hands.
- You decide which context is shared with which AI tool. Sharing is granular and always under your direction.
The context boundary
Unabyss serves your context to external AI tools through MCP (Model Context Protocol) — a standard, streamable HTTP endpoint that clients like Claude, GPT, Cursor, and others connect to at your instruction.
Two things worth being clear about:
- Nothing leaves without your say-so. Context is distributed only when you connect a tool and direct it to pull. You control the connection and the scope.
- Once context reaches a third-party tool, that tool's own terms govern it. We secure your data up to and through the moment it's delivered to a tool you've chosen. What that tool then does with it is governed by its policies — so we encourage reviewing the terms of any AI client you connect. This is the same trust boundary that applies to any data you paste into an AI tool today; Unabyss just makes the flow explicit and controllable.
Infrastructure
- Transport security: TLS on all connections.
- Encryption at rest: applied to stored context in our cloud storage layer.
- Backups: regular database backups to protect against data loss.
- Hosting: our application and landing surfaces run on Cloudflare's edge network; our API runs on hardened, access-controlled servers. File storage sits behind a proxy layer so raw storage is never directly exposed.
- Access control: internal access to production systems is restricted on a need-to-know basis.
Compliance
SOC 2 Type II — in progress (audit-ready). We have implemented the controls, policies, and monitoring required for SOC 2 Type II and are engaged in the formal audit process.
GDPR — aligned. We follow GDPR principles for handling personal data: lawful basis for processing, data minimization, purpose limitation, and honoring your rights over your own data — including access, portability, and erasure. Personal data is retained only as long as necessary for the purpose it was collected, unless a longer period is required by law.
If you're conducting a security review and need documentation beyond what's on this page, reach out — we'll share what we have and keep you posted as our SOC 2 report is finalized.
Data retention & deletion
We retain your context only as long as it's serving you. You can delete individual imported data or wipe everything Unabyss holds at any time. If you close your account, your context and generated artifacts are permanently deleted after a short retention window.
We don't guarantee to be your system of record — we encourage you to keep your own copies of anything critical. Unabyss is a layer over your data, not a replacement for the sources it draws from.
Reporting a vulnerability
If you believe you've found a security issue, we want to hear about it. Email [email protected] with the details and we'll respond quickly. We're grateful to researchers who help us keep Unabyss safe and will work with you in good faith.
Security is a moving target, and this page reflects where we are today. As our controls mature and our SOC 2 Type II audit completes, we'll update it here. Questions? Reach us at [email protected].