Security Overview

MemwaMind is designed for accounting firms handling sensitive financial and tax-adjacent records. Security decisions assume the service will process documents, normalized ledgers, alert narratives, and client relationship context that must remain firm-scoped and confidential.

The current environment is built on managed cloud infrastructure, firm-scoped authorization, and explicit audit trails. The security program is production-focused. Some trust artifacts — a completed SOC 2 Type II report, a published penetration-test attestation, and customer-managed encryption keys — are on the roadmap and available on request in their current state.

• Source documents, normalized financial data, alerts, and draft history remain inside MemwaMind-managed infrastructure or approved subprocessors.
• Firestore is used as a derived dashboard cache and is not the source of truth for structured firm records.
• Customer data is deleted on the retention schedule described in the Privacy Policy and the governing commercial agreement, unless legal retention is required.
• Customer-managed encryption keys, OpenAI zero-data-retention enrollment, and additional enterprise-tier controls are available on request and will ship as a paid enterprise add-on at GA.

If you cancel, you receive a full export within 14 days — at no cost. Your documents come out in the same formats you uploaded them. Your normalized financial records and alerts come out as CSV. Your knowledge notes and client metadata come out as JSON.

After 30 days we permanently delete all firm-specific data except what applicable law (IRS retention guidelines, GLBA, or an executed legal hold) requires us to keep.

The exit policy is binding — we never hold your data hostage to pricing disputes. If you want the export bundle described in writing before you sign, email founder@memwamind.com and we will send the offboarding schedule along with the MSA.

MemwaMind's operating assumptions align with the FTC Safeguards Rule, GLBA-related vendor expectations for CPA firms, and IRS data-security expectations for firms handling federal tax information.

SOC 2 status. MemwaMind is not currently SOC 2 Type II certified. We are preparing for a SOC 2 Type II audit as part of GA readiness; we will publish the exact scope, auditor, and observation window on this page as soon as the engagement letter is signed. Any vendor asking “are you SOC 2?” should treat our answer today as “not yet — with a plan.”

DPA (Data Processing Agreement). A standard DPA is available upon request for every paying firm and every firm in active evaluation. The DPA is signed alongside the MSA and covers sub-processor change notification, audit rights, breach response SLAs, and the offboarding schedule. Email founder@memwamind.com to request the current DPA.

Security events are investigated as operational incidents. The current operating target is to notify affected firms promptly with the nature of the incident, the systems or data implicated, and the remediation steps underway. The detailed incident response plan is maintained internally and will be expanded into counsel-reviewed customer materials as part of the launch trust package.

If you believe you have identified a security issue, contact founder@memwamind.com with a concise description, reproduction steps, and any affected route or workflow. Please avoid accessing data that is not your own, and do not attempt destructive testing.

• Privacy Policy: /privacy
• Terms of Service: /terms
• Subprocessors: /subprocessors