Legal · Security
Security
Last updated 2026-05-08
ContextWell is in private beta. This page describes the security posture we operate today and what's on the roadmap before general availability. We will not promise compliance we don't have.
Today
- Encryption in transit. All traffic between you, our app, and the MCP is TLS 1.2+.
- Encryption at rest. Customer content and attachments are encrypted at rest by our managed storage providers.
- Hosted infrastructure. ContextWell runs on Fly.io with managed Postgres and object storage. We do not run our own datacenter.
- Access control. Internal access to production is limited to founding engineers, gated by SSO and MFA, and logged.
- No model keys stored. We don't sit in the middle of your AI vendor relationship. You bring your own keys to your harness — we never see them.
- Customer content isolation. Workspaces are logically separated and only reachable by their members.
- Backups. Daily database backups with point-in-time recovery during beta.
On the roadmap
Before we move out of private beta:
- SOC 2 Type I, then Type II.
- SSO / SAML for the Team and Enterprise tiers.
- Configurable retention and deletion windows.
- Audit log accessible to workspace admins.
- Region selection (US / EU) for Enterprise.
Reporting a vulnerability
If you've found something, please email [email protected]. We'll acknowledge within one business day. We commit to good-faith disclosure handling — no legal threats for honest reports.
Questionnaires & reviews
For security questionnaires, customer security reviews, or DPA requests, reach out to [email protected]. We'll be straightforward about what we have and don't have.