Your data is safe with us

‍We are in the business of providing solutions to anonymize data. Data privacy is at the core of what we stand for and as such the security of your data is our top priority. You will find an overview of our measures for the Community Version of MOSTLY AI’s synthetic data platform here. For additional information please refer to our Terms of Services and Data Processing Agreement and the Privacy Policy. As a company with headquarters in Vienna, Austria we are fully GDPR compliant. If you have any questions, please do not hesitate to contact us.


The Community Version of the MOSTLY AI synthezic data platform is hosted on servers provided by Google and Amazon Web Services in its European data centers. Both are leading cloud infrastructure providers with best-in-class security standards. They are responsible for keeping the infrastructure up to date at all times and fix any found security vulnerabilities immediately. Globally, a vast number of corporations trust Google and Amazon Web Services with their data.

Google is compliant with the following standards:

  • CSA
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 1
  • SOC 2
  • SOC 3

An overview of additional standards Google is compliant with can be found here.

Amazon Web Services is compliant with the following standards:

  • CSA
  • ISO 9001
  • ISO 27001
  • ISO 27017
  • ISO 27018
  • SOC 1
  • SOC 2
  • SOC 3

An overview of additional standards Amazon Web Services is compliant with can be found here.

The datasets you upload for synthesis are only stored on servers of Google and/or Amazon Web Services and as such are processed in datacenters within the European Union. Google and Amazon Web Services operate securely guarded data centers where professional staff takes care of the physical security of servers.

 Other Subcontractors

In addition to Google and Amazon Web Services we use other subcontractors to provide our services. When selecting these subcontractors, we make sure that these adhere to the highest security-standards as well. Subcontracts currently used include

  • Auth0®, Inc.
  • Cloudflare
  • Mailgun Technologies, Inc.
  • Recurly, Inc.
  • Stripe Payments Europe, Ltd.
  • Zendesk, Inc.

Some of these subcontractors are based outside of the European Union. For all transfer of data to a state outside the European Union we ensure full compliance with the GDPR. We require all subcontractors to have entered contractual agreements that guarantee compliance with the GDPR.


User Authentication

We are using Auth0 to handle user authentication. Auth0 is compliant with the following standards:

  • CSA
  • ISO 27001
  • ISO 27018
  • SOC 2

An overview of additional standards Auth0 is compliant with can be found here.

Auth0 never stores passwords in cleartext. Passwords are always hashed and salted using bcrypt. Additionally, data encryption is offered at rest and in transit by using TLS with at least 128-bit AES encryption. When a user tries to log in, the password is encrypted in the same way and Auth0 compares the encrypted versions to check if they match. This is also the reason why we cannot recover a password for. In case you lose it, you have to reset your password. For additional security, we enforce a 8-character minimum password length, at least one uppercase character, at least one digit, and at least one special character, when a user signs up.

If you are using GSuite, you can Sign in with Google via a secure connection. This way your password is not stored on Auth0. Instead you authenticate MOSTLY AI as a trusted service and a token gets generated which Auth0 uses to identify you. You can revoke that token at any time via your Google account settings.


Cookies and Tokens

We use cookies and tokens to authenticate users across sessions. Tokens never contain your actual password or other sensitive information. All that gets saved is a randomly created token that allows you to access the application.


Data Encryption

All communication between you and our servers is SSL/TLS -encrypted. We use Cloudflare to protect our servers from DDOS attacks, SQL injections and other fraudulent activity. To provide a high degree of privacy, SSL/TLS encrypts data that is transmitted across the web. This means that anyone who tries to intercept this data will only see a garbled mix of characters that is nearly impossible to decrypt. It is the industry-standard and used by millions of websites on the Internet.

All data in our database is encrypted with the industry-standard AES-256 algorithm (encryption-at-rest). This means that your data is encrypted before and after accessing the database and never lies there in plain text.

The datasets you upload for synthesis are stored and encrypted in cloud object storage.

Development Frameworks

We’re building MOSTLY AI synthetic data platform on established software libraries to secure your data and to not expose you to vulnerabilities.

Our frontend framework Angular (mainly maintained by Google), combined with the use of unique user tokens, protects your users against common threats such as cross-site scripting (CSS / XSS) and cross-site request forgery (CSRF / XSRF). This makes it impossible for a user to access data from another user account.

Our backend application framework is Spring Boot (mainly maintained by Pivotal Software (part of VMWare).


Restricted Internal Access

We apply a strict role-based model to all requests and features of the MOSTLY AI synthetic data platform. That means our employees can only access the information and functionality their role allows them to. For example, an employee from the support team can access billing information but cannot access any uploaded datasets.

In our internal administration data, we only display aggregated statistics and company level data (such as invoicing information), not the content of uploaded datasets. We do not look into any uploaded data unless we have been granted permission to do so to fix a bug. That said, most bugs can be fixed by analyzing server logs and reproducing the problem with dummy data.

Data Processing Agreement (DPA)

Once you start using the Community Version of the MOSTLY AI synthetic data platform, you will sign a data processing agreement with us. It lays out how we may handle your data, explains the security measures deployed, states your rights and is needed to be fully compliant with the GDPR.

Internal security policies

We have implemented internal security policies that are closely aligned with the industry standard ISO 27001 and every employee undergoes regular security training. Our internal measures include:

  • Two factor authentications for key services (e.g. email system, central code repository)
  • Encrypted hard drives of our devices
  • Password requirements

Our development process follows industry best practices as well. Each deployment of new code has to be approved by two people (code review process). We have implemented automated tests on various levels.

Availability and disaster recovery

Data stored in buckets and databases are distributed and replicated across various servers. In the event that one bucket or database fails, it is recovered from a different server, usually without the end user actually noticing.

Databases are backed up on a daily basis and can be restored should the software or server ever fail in a significant way. Back-ups are stored in different European data centers for additional security.

It is not possible for us to restore individual customer information – if you delete something within your account, it is permanently deleted and we are not able to restore it again.


The performance of our application and databases is monitored 24/7 via in-built monitoring tools provided by Google and Amazon Web Services. Internal errors or failures of our various integrations are logged and trigger notifications. This usually allows us to identify a problem very quickly and remedy the situation.

Full disclosure policy

As required per GDPR we will provide full disclosure if anything serious ever happens and your data is affected (i.e. a data breach). Transparency is important to us and we will provide you with all the necessary information to correctly assess the situation and the potential impact. So far, no customer data has ever been compromised and we aim to keep it this way.