Security · governance

Security for project knowledge, not just data storage.

ContextStream is designed to keep decisions, lessons, docs, code context, Capsules, and agent workflows scoped, controlled, and reviewable.

Data handling

We read the shape of the project, not the contents — by default. Source contents stay where they live.

Encryption

In transit and at rest. Per-workspace keys for Enterprise; KMS-backed.

Access control

Roles, scopes, and per-engagement boundaries. Audit log exportable to your SIEM.

Scopes & boundaries

Personal, project, team, client, agent-visible. Boundaries enforced in product, not just documented.

Redaction

Author-visible diff between source slice and recipient view. Redactions apply to Capsules and cross-scope promotions.

Local-only mode

Available on Enterprise. Indexing and graph storage stay inside your boundary; no calls to ContextStream cloud.

Self-host or VPC

Enterprise plans support self-hosted and VPC deployment. Solo and Team are cloud-only today.

Verified handoffs

Cryptographic signing available on Enterprise for handoffs that must be agent-verifiable.

Incident process

Public status page, internal runbooks, post-incident lesson capture (yes — into ContextStream).

01 Compliance roadmap

Stated honestly.

We won't claim what we haven't earned. Here's where we are today, and where the next milestones are.

SOC 2 Type II audit underway

Type II audit in progress. We can share scope and timeline with prospective Enterprise customers.

SOC 2-ready controls

Access reviews, change management, encryption, incident response, vendor management — implemented and operating.

DPA · procurement support

Standard DPA, subprocessor list, security questionnaire, procurement routing for Enterprise customers.

We do not claim "SOC 2 compliant" or "SOC 2 certified" until the Type II report is issued.

Talk to security.

Procurement support, security overview, DPA, and architecture questions.