Open by default
The full source is Apache-2.0 and auditable — no closed core to take on faith. Self-hosted means your telemetry never leaves your own infrastructure; we never need access to it.
Trust
Security & trust
How we handle vulnerability disclosure, source transparency, and your data — stated plainly, pre-1.0 and all.
Responsible disclosure
Found something? Email security@molesignal.io or open a private GitHub Security Advisory. We acknowledge reports quickly and credit reporters who want it.
Your data
Self-host: data stays entirely in your environment. Cloud (in development): bring-your-own-cloud keeps storage and compute in your account, or fully managed multi-tenant — you choose.
Compliance — where we honestly stand
We are pre-1.0 and not yet certified. We won't claim a badge we don't hold.
- SOC2 Type II — on the roadmap
- HIPAA — targeted post-1.0
- Self-hosting keeps you in control of data residency today
Security review or questionnaire?
Sending us a vendor security questionnaire, or need an NDA before a deeper review? Reach out — we'll tell you what we can share today and what's coming.
Contact security@molesignal.io