Last updated: April 2026

Security & Trust

Name: Moston
Price: 24 EUR
Availability: InStock
Author: Moston

Everything your technical team needs to know about Moston's security.

Hosting & infrastructure

Storage region

All data is hosted in the European Union (Frankfurt, Germany) on AWS infrastructure via Supabase. No data leaves the EU for storage.

Encryption in transit

All communications between your browser and our servers are encrypted via TLS 1.2 minimum.

Encryption at rest

Data is encrypted at rest with AES-256 at the database level.

Backups

Automated daily backups, encrypted, stored in EU region. Backup retention period: 30 days.

Application-level encryption

Beyond the standard

Sensitive managerial data (notes, meeting summaries, feedback, team context) benefits from an additional layer of application-level encryption, independent of database encryption.

Per-user key

Each account has an individually derived encryption key using HMAC-SHA256. Direct database access does not allow reading another user's data.

AES-256-GCM algorithm

Authenticated encryption with random IV per operation. Key versioning enables seamless rotation without downtime.

Cryptographic deletion

Upon account deletion, a tombstone mechanism makes data permanently inaccessible, including from backups.

Data encrypted at application level

Notes and observations

Meeting summaries

Feedback and signals

Team context

Assistant messages

Action descriptions

Project and subject descriptions

Objectives and comments

Access control

Secure authentication with session management and automatic expiry

Row Level Security (RLS) at the database level: every query is filtered by the identity of the logged-in user

Strict data isolation between accounts: no data is shared between managers

Access logs and log sanitisation: no sensitive data appears in application logs

Sub-processors & certifications

Sub-processor	Role	Location	Certification
Supabase Inc.	DB hosting & auth	EU - Frankfurt AWS	SOC 2 Type II
Anthropic PBC	AI generation	USA	Zero data retention on requests
Stripe Inc.	Payments & billing	USA - EU	PCI-DSS Level 1
Resend Inc.	Transactional emails	USA	SOC 2 Type II

Transfers to sub-processors outside the EU are governed by the Standard Contractual Clauses (SCCs) of the European Commission.

Compliance

RGPD / GDPREU dataApp-level encryption

Moston is compliant with the General Data Protection Regulation (GDPR). A Data Processing Agreement (DPA) is available for all customers.

Download DPA (PDF)

Documents available on request

Security questionnaire (VSAQ)
Detailed technical architecture
Penetration testing report (available during 2026)
SOC 2 Type II (in preparation)

Contact the security team

Report a vulnerability

Did you discover a security flaw? Contact us at privacy@moston.app before any public disclosure. We commit to responding within 48 hours.