Skip to content

Security & trust

A plain-language overview for evaluating Mandrel—not a warranty and not every control we run. Pair it with the Privacy policy and anything your lawyer makes you read.

How the platform is put together

Mandrel is a multi-tenant SaaS: a web app plus APIs. Passwords are salted and hashed; refresh material is stored hashed while access tokens stay short-lived. Your operational data lives in PostgreSQL, queried with parameters—never by pasting untrusted text into raw SQL strings.

When AI is in the loop

Mandrel integrates AI to help people work faster inside structured data—summaries, drafting, navigation—without asking you to copy sensitive rows into a random chat window. When conversational features are enabled for your org, Google Gemini may process prompts and replies; storage follows your organization’s policy for diagnostics and auditing. Treat that processing like any other subprocessor—details live in the privacy notice’s subprocessor section.

Coordinated vulnerability disclosure

We welcome good-faith research. Email security@mandrel.cloud with enough detail to reproduce the issue, whether any tenant was involved (say “none” if not), and a reasonable disclosure timeline so defenders can fix before headlines.

Mandrel does not claim SOC 2, ISO, or other certifications here unless we publish evidence elsewhere. Procurement teams should diligence against this page plus executed agreements—marketing warmth is not an audit report.