Mixedbread

Security & Compliance

Security is foundational to how we build Mixedbread. We hold independent certifications, encrypt your data in transit and at rest, and never use your content to train models. Enterprise customers can also keep all content in object storage they own and control.

Certifications & complianceLink to section

StandardStatus
SOC 2 Type 2Certified for the Security trust services criterion. Report available on request.
ISO 27001Certified. Certificate available on request.
GDPRCompliant. A Data Processing Addendum with EU, UK, and Swiss Standard Contractual Clauses is available.

EncryptionLink to section

Your data is encrypted at every stage.

  • In transit. All connections use TLS 1.2 or higher.
  • At rest. Stored data is encrypted with AES-256.

With Bring Your Own Bucket you can go further and supply your own SSE-KMS key, so you hold the encryption material and can revoke it at any time.

Data residencyLink to section

All processing and Mixedbread-managed storage currently happen in the United States. EU data residency is coming soon. Contact us if this is a requirement for your organization.

With Bring Your Own Bucket, content at rest lives in the bucket you provide and control.

How we handle your dataLink to section

  • No training on your data. Your content and usage are never used to train models, for any user on any plan.
  • Access controls. Access to customer data is restricted, authenticated, and monitored.
  • You stay in control. Delete a store or your account and the associated content is removed. With Bring Your Own Bucket, content lives in storage you own. Mixedbread reads and writes it with ephemeral compute and retains nothing beyond memory.

Vulnerability disclosureLink to section

We welcome reports from security researchers and treat them as a priority.

  • Report it. Email security@mixedbread.com with steps to reproduce, affected endpoints, and any proof of concept. Please report privately and give us a reasonable window to remediate before public disclosure.
  • What to expect. We acknowledge reports promptly, keep you updated on our progress, and let you know when the issue is resolved.
  • Safe harbor. We won't pursue legal action for good-faith research that respects user privacy, avoids data destruction or service degradation, and stays within the scope of your own account or test data.

Questions?Link to section

For security reviews, documentation requests, or anything else, reach out to us.

Last updated: June 25, 2026

Limits

Current Mixedbread store and file limits.

Bring Your Own Bucket

Keep your content in object storage you own. Mixedbread indexes and searches it in memory and persists every artifact in your bucket. Nothing is retained on Mixedbread infrastructure.

On this page

Certifications & complianceEncryptionData residencyHow we handle your dataVulnerability disclosureQuestions?