Skip to content
Myellin

Security

Private notes deserve serious controls.

Myellin protects notebook content, account data, prompt libraries, and bring-your-own API keys with layered application, infrastructure, and database controls.

Last updated: June 27, 2026

All production traffic is served over HTTPS.
Supabase Auth and application session checks protect account access.
Row-level security and application checks scope data to owners and active organization members.
Organization policy controls cover public sharing, uploads, Clipper, MCP, and AI provider behavior.
Audit logs support filtering, cursor pagination, CSV export, retention settings, and scheduled purge.
User-provided AI provider keys are encrypted at rest with AES-256-GCM.
MCP and extension tokens are stored as hashes, with raw tokens shown once at creation.
New notebook and board assets use a first-party revocable asset proxy.

Enterprise review scope

Security review material covers product architecture, authentication and authorization, encryption, audit logging, subprocessors, data flow, incident response, vulnerability disclosure, account export, deletion handling, and current launch limitations.

AI provider handling

Myellin can send user-selected content to configured AI providers such as OpenAI, Anthropic, Google, Moonshot, xAI, or DeepSeek only when a user starts an AI workflow or an allowed background workflow requires it. Provider availability depends on organization policy, workspace settings, BYOK requirements, allowed providers and models, and configured API keys.

Current limits

Myellin does not currently claim SOC 2, ISO 27001, HIPAA, SSO, SCIM, organization-enforced MFA, session/device governance, or fully private legacy storage. Signed Windows desktop deployment is supported through the managed package release lane.