Shipping AI shouldn't mean shipping your data.
Mevichat is built on Meviona's security baseline: GDPR alignment, encryption in transit and at rest, and optional EU data residency.
Compliance
Controls
Encryption everywhere
AES-256 at rest, TLS 1.3 in transit. BYOK keys sealed with customer-scoped KMS envelopes.
SSO + SCIM
SAML 2.0 with Okta, Azure AD, Google Workspace. SCIM 2.0 for provisioning.
Audit log
Every admin action, every export, every model call. Streams to your SIEM via webhook.
EU data residency
Opt into Frankfurt region. All storage, embeddings and inference stay inside the EEA.
No training on your data
We don't train models on your content. BYOK providers are contracted the same way.
Incident response
24/7 on-call. 1h acknowledgement, 4h customer notification on security events.
How we handle your data
Three simple rules govern how we handle customer data. No exceptions, no asterisks.
Security FAQ
Where is my data stored?
By default, US-East (Virginia). Scale customers can opt into EU-Central (Frankfurt). We do not copy data between regions.
Do you train models on my data?
No. Our contracts with Anthropic and OpenAI explicitly prohibit training on BYOK traffic. Our Mevichat Mini is frozen; we do not fine-tune on customer content.
How quickly are security patches deployed?
Critical CVEs are patched within 24 hours; high-severity within 7 days. We publish a rolling patch log in our trust center.
Can I get a penetration test report?
Yes. We run annual pentests with Cure53. The latest report is available under NDA — email trust@mevichat.com.
What's your subprocessor list?
AWS (hosting), Anthropic + OpenAI (optional BYOK), Stripe (billing), Resend (email). The full list with sub-regions is at /privacy.