mobius
ProductPricingDocsAbout
Sign InGet Started
Trust

Security at Mobius

Mobius runs workflows for mixed teams of humans, systems, and AI agents. Here is how we protect your data and your workers.

Last Updated: April 20, 2026

Infrastructure

  • Frontend: served from Cloudflare's global edge network with automatic TLS.
  • Backend: runs on Google Cloud Run with managed TLS, autoscaling, and isolated containerized workloads.
  • Database: managed PostgreSQL on Neon with encryption in transit and at rest and point-in-time backups.
  • Authentication: Clerk provides SSO, MFA, session management, and organization membership.
  • Realtime: Redis is used for cross-instance event fan-out and work signalling only; it does not serve as a durable store for customer data.

Encryption

  • All traffic to Mobius is encrypted in transit using TLS 1.2 or greater. HTTP connections are redirected to HTTPS.
  • Customer Data is encrypted at rest by our cloud providers using industry-standard AES-256.
  • API keys and service-account credentials are stored hashed; the plaintext value is only shown once at creation time.

Tenant isolation

Mobius is multi-tenant by design. Every project-scoped record carries both an org_id and a project_id, and service-layer queries always filter on both. Access checks happen in the service layer before any data is returned, so a leaked or misused identifier cannot by itself read across tenants. Composite indexes lead with (org_id, project_id, …) so the isolation invariant is also enforced by the query planner's usage pattern, not just by convention.

Access control

  • Organization-scoped accounts. Users are members of one or more organizations, and every API request resolves to an organization before it is authorized.
  • Role-based permissions. Administrators can define roles and assign them to members, controlling which projects and capabilities each member can access.
  • API keys and service accounts. Machine-to- machine access uses org-scoped API keys, with rotation and revocation available from the settings area.
  • Auditability. Significant actions are recorded to the audit log, including the actor (user, API key, or system) that performed the action.

Worker trust model

Workers are customer-controlled processes that claim and execute steps via the Mobius worker protocol. Workers authenticate with org-scoped credentials you issue from your Mobius account, and they run entirely within your own environment. Mobius does not execute customer code; we coordinate work, persist state, and deliver events.

You are responsible for securing worker hosts, keeping credentials confidential, and limiting the scope of what a worker is permitted to do in your environment. We recommend issuing a dedicated API key per worker deployment so credentials can be rotated independently.

Operational security

  • Production access is limited to a small number of operators, authenticated with SSO and MFA and scoped to the minimum required privileges.
  • Application, database, and platform logs are centrally collected and retained for security monitoring and incident response.
  • Dependencies are tracked and updated; code changes are reviewed before merging to the main branch, and our CI pipeline runs static analysis, tests, and build checks on every change.

Incident response

We monitor our Services for availability and security events. In the event of a security incident that affects Customer Data, we will notify affected customers without undue delay, in accordance with applicable law and any customer agreement, and will provide information about the incident, our response, and remediation steps.

Responsible disclosure

If you believe you have found a security vulnerability in Mobius, please email security@mobiusops.ai. We ask that you:

  • Give us a reasonable amount of time to investigate and fix the issue before any public disclosure.
  • Avoid accessing, modifying, or deleting data that does not belong to you, and avoid degrading service for other customers.
  • Include enough detail (reproduction steps, affected endpoints, expected vs. observed behavior) for us to reproduce the issue.

We will acknowledge receipt, keep you informed of our progress, and credit you in our advisory when the issue is resolved, unless you prefer to remain anonymous.

Compliance and enterprise questions

We are actively investing in formal compliance programs as we grow. If you are evaluating Mobius for an enterprise deployment and need our current security documentation, a Data Processing Addendum, sub-processor list, or answers to a vendor questionnaire, please contact support@mobiusops.ai.