Back to Home

Security

Last updated: January 18, 2026

At Nine Suns Inc., security is at the core of everything we do. Citadel is built from the ground up to protect your AI applications, and we apply the same rigorous security standards to our own infrastructure and practices.

Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are hashed and never stored in plaintext.

No Data Retention

Content scanned through our API is processed in real-time and never retained after the request completes.

Vulnerability Management

Regular penetration testing, automated vulnerability scanning, and continuous monitoring of our infrastructure.

Compliance

SOC 2 Type II certified. GDPR and CCPA compliant. Regular third-party security audits.

Infrastructure Security

Cloud Infrastructure

Citadel runs on Google Cloud Platform with enterprise-grade security controls:

  • Deployed in multiple regions with automatic failover
  • VPC isolation with strict network segmentation
  • Web Application Firewall (WAF) protection
  • DDoS mitigation through Google Cloud Armor
  • Regular infrastructure security assessments

Confidential Computing

For our Enterprise customers, we offer Confidential Compute powered by Trusted Execution Environments (TEEs). This ensures that your data is encrypted even during processing, and we have no access to unencrypted data at any point.

Application Security

Secure Development

  • Security-focused code reviews for all changes
  • Static Application Security Testing (SAST) in CI/CD pipeline
  • Dynamic Application Security Testing (DAST) on staging environments
  • Dependency vulnerability scanning with automated updates
  • Regular security training for all engineering staff

Authentication & Authorization

  • ES256 (ECDSA) JWT tokens for API authentication
  • Role-based access control (RBAC) for team management
  • API key rotation and revocation capabilities
  • OAuth 2.0 integration for SSO (Enterprise)
  • Multi-factor authentication support

Data Protection

Processing Guarantees

When you send content through our API for scanning:

  • Content is processed in memory and never written to disk
  • Processing completes in milliseconds with no data retention
  • No content is used for model training without explicit consent
  • Audit logs capture metadata only, not content (configurable)

Data Isolation

We implement strict data isolation between customers:

  • Dedicated database schemas with Row-Level Security (RLS)
  • Isolated API key namespaces
  • Separate audit log streams
  • No cross-customer data access

Abuse Prevention

We monitor for abuse, fraud, and service disruption attempts. We may throttle, block, or suspend access to protect customers and our infrastructure.

Responsible Disclosure Policy

We value the security research community and welcome responsible disclosure of vulnerabilities.

If you discover a security vulnerability in Citadel, please report it to us responsibly. We commit to acknowledging your report within 24 hours and working with you to understand and resolve the issue promptly.

Reporting a Vulnerability

Please send vulnerability reports to security@trymighty.ai. Include the following in your report:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

What We Ask

  • Give us reasonable time to investigate and fix the issue before public disclosure
  • Do not access, modify, or delete data belonging to other users
  • Do not perform actions that could impact service availability
  • Do not use automated scanning tools that generate excessive traffic

What We Promise

  • Acknowledge your report within 24 hours
  • Provide regular updates on our progress
  • Credit you in our security acknowledgments (if desired)
  • Not pursue legal action against good-faith security researchers

Security Updates

We maintain a security changelog and notify customers of significant security updates. Critical security patches are deployed within 24 hours of identification.

Open Source Edition

Citadel also ships as an open source (OSS) project. The OSS version is self-hosted and is not covered by our hosted service guarantees, compliance commitments, or support SLAs. You are responsible for securing, operating, and maintaining your OSS deployment. We do not provide insurance or guarantees for OSS installations.

Contact

For security-related inquiries or to report a vulnerability:

Security Team

Email: security@trymighty.ai

PGP Key: Available upon request

For general inquiries, please contact support@trymighty.ai