Secure by design

Strong sign-in for your account, server-side access controls on your projects, transparency about who processes data, and a clear line that your prompts and code are not used to train Motivd models.

Our team Report an issue

Enterprise security controls

Access and control

Today, Motivd sign-in uses Google, GitHub, or email (via Supabase Auth). Access to your projects and data is enforced server-side (including database row-level security) so accounts only reach their own resources. Apps you build can add enterprise login (SAML/OIDC, SCIM) in your codebase; organization-wide SSO for the Motivd product itself is arranged with our team when needed—contact security@motivd.com.

Guardrails for building & publishing

Flows such as PRD review help teams align on scope before implementation. Project access is account-based and enforced server-side. Broader team roles for who can edit versus publish are evolving—tell us your requirements if you are standardizing Motivd across a larger org.

Secrets are handled securely

Secrets are encrypted at rest and access-controlled by role. They are not exposed in plaintext in logs or interfaces. Access is limited to authorized environments and actions.

Data residency

We run on major cloud providers (for example Vercel and Supabase) with encryption in transit and at rest. Where data is physically processed depends on those providers and configuration; we are transparent about subprocessors in our Privacy Policy and can discuss residency and data protection agreements with enterprise customers.

Your data is not used to train models

We do not use customer prompts, code, or workspace data to train Motivd models. When we work with AI providers, contractual agreements restrict training and retention of customer data. Your work stays your work.

Isolation by design

Each workspace and project is logically separated. Customer data is not accessible across accounts. Environment boundaries are explicitly defined and evaluated before changes are published.

Continuous monitoring & abuse detection

Motivd continuously monitors platform activity for misuse, anomalous behavior, and compromise. Automated systems enforce rate limits and detect abuse across users and workspaces, with high-risk activity reviewed by our trust and safety team.

Security visibility for your project

The workspace Security area is an early surface for dependency and configuration visibility. Coverage is expanding—use it alongside your own CI, dependency scanning, and review gates before production deployments.

Protected infrastructure

Motivd Cloud is protected by web application firewall (WAF) controls, network isolation, encrypted data storage, and adaptive rate limiting at the IP, user, and workspace level.

Compliant and certified

SOC 2

Type I Compliant

2025

SOC 2

Type II Compliant

Aug 2025

ISO 27001

Certified

2022

Summaries on this page support procurement conversations. For current attestations, questionnaires, and our subprocessor list, email security@motivd.com.

Frequently asked questions

Where is customer data stored?: Motivd uses cloud infrastructure providers (for example Supabase for data and Vercel for hosting). Exact locations depend on provider regions and configuration; see our Privacy Policy for subprocessors and contact security@motivd.com for enterprise residency questions.
Is customer data used to train AI?: No. Customer prompts, code, and workspace data are not used to train Motivd models. Where third-party AI providers are used, contractual agreements restrict training and retention of customer data.
Is Motivd multi-tenant, and how is customer data isolated?: Motivd is a multi-tenant platform with logical isolation between workspaces and projects. Customer data is not accessible across accounts. Isolation controls are enforced at both the application and infrastructure layers.
How are publishing controls enforced?: Project and deployment actions are tied to your account and the integrations you connect (for example GitHub, Vercel). Server-side checks and database policies limit access to your data. Deeper team-based publish roles are on our roadmap—share requirements with security@motivd.com if you need them for procurement.
Does Motivd perform automated security scanning?: We are expanding automated checks and surface early security visibility in the workspace. Treat Motivd as one layer: run your own dependency and security scanning in CI before you ship to production.
Is Motivd SOC 2 or GDPR compliant?: We align our practices with common enterprise expectations (including GDPR-oriented privacy commitments in our Privacy Policy). SOC 2 and ISO summaries appear above for buyer conversations; request current reports and DPAs from security@motivd.com for vendor review—do not rely on this page alone for contractual wording.
Which subprocessors does Motivd use?: Motivd uses a vetted set of infrastructure and AI subprocessors. Enterprise customers receive a current subprocessor list and change-notification commitments through our trust documentation.
Does Motivd access or clone our source code?: Motivd does not clone private source code unless you explicitly authorize a repository connection. Access scopes are limited to required operations and can be revoked at any time.
Does Motivd require access to CI/CD or production?: No. Motivd does not require production credentials by default. Deployment and CI/CD permissions are customer-controlled and only granted when you choose to connect those systems.
How are secrets and API credentials managed?: Secrets are encrypted, role-restricted, and scoped by environment. They are never displayed in plaintext after save and are excluded from user-facing logs.
Does Motivd support least-privilege access?: Motivd applies server-side access control and per-account data boundaries (including RLS) to limit exposure. Finer team roles separating view, edit, and publish are evolving—email security@motivd.com if that is a procurement requirement for you.

Ready to build?

Tell us what you're building, we'll help you get started.

Enterprise security controls

Access and control

Guardrails for building & publishing

Secrets are handled securely

Secrets are encrypted at rest and access-controlled by role. They are not exposed in plaintext in logs or interfaces. Access is limited to authorized environments and actions.

Data residency

Your data is not used to train models

Isolation by design

Each workspace and project is logically separated. Customer data is not accessible across accounts. Environment boundaries are explicitly defined and evaluated before changes are published.

Continuous monitoring & abuse detection

Security visibility for your project

Protected infrastructure

Motivd Cloud is protected by web application firewall (WAF) controls, network isolation, encrypted data storage, and adaptive rate limiting at the IP, user, and workspace level.

Frequently asked questions

Where is customer data stored?

Motivd uses cloud infrastructure providers (for example Supabase for data and Vercel for hosting). Exact locations depend on provider regions and configuration; see our Privacy Policy for subprocessors and contact security@motivd.com for enterprise residency questions.

Is customer data used to train AI?

No. Customer prompts, code, and workspace data are not used to train Motivd models. Where third-party AI providers are used, contractual agreements restrict training and retention of customer data.

Is Motivd multi-tenant, and how is customer data isolated?

Motivd is a multi-tenant platform with logical isolation between workspaces and projects. Customer data is not accessible across accounts. Isolation controls are enforced at both the application and infrastructure layers.

How are publishing controls enforced?

Project and deployment actions are tied to your account and the integrations you connect (for example GitHub, Vercel). Server-side checks and database policies limit access to your data. Deeper team-based publish roles are on our roadmap—share requirements with security@motivd.com if you need them for procurement.

Does Motivd perform automated security scanning?

We are expanding automated checks and surface early security visibility in the workspace. Treat Motivd as one layer: run your own dependency and security scanning in CI before you ship to production.

Is Motivd SOC 2 or GDPR compliant?

We align our practices with common enterprise expectations (including GDPR-oriented privacy commitments in our Privacy Policy). SOC 2 and ISO summaries appear above for buyer conversations; request current reports and DPAs from security@motivd.com for vendor review—do not rely on this page alone for contractual wording.

Which subprocessors does Motivd use?

Motivd uses a vetted set of infrastructure and AI subprocessors. Enterprise customers receive a current subprocessor list and change-notification commitments through our trust documentation.

Does Motivd access or clone our source code?

Motivd does not clone private source code unless you explicitly authorize a repository connection. Access scopes are limited to required operations and can be revoked at any time.

Does Motivd require access to CI/CD or production?

No. Motivd does not require production credentials by default. Deployment and CI/CD permissions are customer-controlled and only granted when you choose to connect those systems.

How are secrets and API credentials managed?

Secrets are encrypted, role-restricted, and scoped by environment. They are never displayed in plaintext after save and are excluded from user-facing logs.

Does Motivd support least-privilege access?

Motivd applies server-side access control and per-account data boundaries (including RLS) to limit exposure. Finer team roles separating view, edit, and publish are evolving—email security@motivd.com if that is a procurement requirement for you.