Acceptance of These Security Policy
Introduction
Mues AI, operated by ProducterHQ OÜ, is committed to maintaining the highest standards of security and data protection for our agentic AI platform. This Security Policy outlines our comprehensive approach to protecting customer data, securing our infrastructure, and ensuring compliance with applicable regulations while delivering innovative AI-powered services that enable users to delegate tasks through natural language interaction.
1. Company Information and Governance
1.1 Legal Entity
Company: ProducterHQ OÜ
Registration Number: 16539847
Jurisdiction: Republic of Estonia
Address: Tiiu tn 12/322, Kesklinna linnaosa, 10135 Tallinn, Harju maakond, Estonia
Website: https://mues.ai/
1.2 Security Governance
Security at Mues AI is directed and maintained by our founding team, ensuring accountability at the highest organizational level. All team members undergo comprehensive security training during onboarding and participate in quarterly security awareness updates.
1.3 Compliance Framework
We maintain compliance with:
• General Data Protection Regulation (GDPR)
• Estonian Personal Data Protection Act
• Estonian Cybersecurity Act
• SOC 2 Type II (planned certification)
• ISO 27001 (planned certification)
2. Infrastructure Security
2.1 Cloud Infrastructure
• Primary Cloud Provider: Amazon Web Services (AWS Lightsail)
• Data Center Locations: European Union regions exclusively
• Primary Regions: eu-west-3 (Paris), eu-central-1 (Frankfurt)
• Compliance: AWS maintains SOC 2/3, ISO 27001, and GDPR compliance
2.2 Physical Security
Our infrastructure benefits from AWS's enterprise-grade physical security measures:
• Access Control: Multi-layered biometric and card-based access systems
• Monitoring: 24/7 security personnel and surveillance
• Environmental Controls: Climate control, fire suppression, and power redundancy
• Compliance: AWS facilities maintain ISO 27001 and SOC 2 certifications
2.3 Network Security
• Architecture: Zero-trust network model with micro-segmentation
• Encryption: All network traffic encrypted using TLS 1.3
• Firewalls: Web Application Firewall (WAF) and Network Access Control Lists
• Monitoring: Real-time network traffic analysis and intrusion detection
3. Data Security and Protection
3.1 Data Classification
We classify data into four categories:
• Public: Marketing materials, public documentation
• Internal: Business operations, non-sensitive communications
• Confidential: Customer data, conversation logs, usage analytics
• Restricted: Authentication credentials, encryption keys, financial data
3.2 Encryption Standards
Data at Rest:
• AES256 encryption for all stored data
• Database-level encryption with automated key management
• Object storage encryption using server-side encryption
• Regular encryption key rotation (quarterly)
Data in Transit:
• TLS 1.3 for all external communications
• Certificate pinning for mobile applications
• Perfect Forward Secrecy (PFS) implementation
• Rejection of connections using TLS below 1.2
3.3 Data Storage Architecture
Databases:
• Managed database services with automated backups
• Point-in-time recovery capabilities
• Database activity monitoring and logging
Object Storage:
• Secure object storage with versioning enabled
• Cross-region replication for disaster recovery
• Lifecycle policies for automated data management
• Access logging and monitoring
4. AI-Specific Security Measures
4.1 AI Service Providers
We utilize multiple AI service providers with appropriate security controls:
OpenAI:
• Enterprise-grade API access with dedicated capacity
• Data processing agreements compliant with GDPR
• Zero data retention for API calls
• Content filtering and safety measures
Anthropic:
• Constitutional AI with built-in safety measures
• Enterprise privacy controls
• Real-time content moderation
• Secure API integration
Google Gemini:
• Google Cloud AI with enterprise security
• Data residency controls within EU
• Advanced threat protection
• Compliance with Google's AI principles
4.2 AI Agent Security
Input Validation:
• Comprehensive input sanitization and validation
• Protection against prompt injection attacks
• Content filtering for malicious inputs
• Rate limiting and abuse detection
Output Monitoring:
• Real-time output analysis for harmful content
• Automated content filtering and moderation
• Human oversight for sensitive operations
• Audit trails for all AI interactions
Model Security:
• Secure model deployment and versioning
• Protection against model extraction attacks
• Regular security assessments of AI components
• Isolation of AI processing environments
5. Access Control and Authentication
5.1 User Authentication
Multi-Factor Authentication:
• Mandatory for all user accounts
• Support for TOTP, SMS, and hardware tokens
• Biometric authentication for mobile applications
• Session management with automatic timeout
Single Sign-On (SSO):
• OAuth 2.0 integration with Google and GitHub
• SAML 2.0 support for enterprise customers
• Just-in-time (JIT) user provisioning
• Centralized access management
5.2 Administrative Access
Principle of Least Privilege:
• Role-based access control (RBAC)
• Time-limited administrative access
• Regular access reviews and certification
• Automated deprovisioning for terminated employees
Privileged Access Management:
• Secure bastion hosts for infrastructure access
• Session recording and monitoring
• Break-glass procedures for emergency access
• Multi-person authorization for critical operations
6. Application Security
6.1 Secure Development Lifecycle
Development Practices:
• Secure coding standards and guidelines
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency scanning and vulnerability management
Environment Separation:
• Isolated development, staging, and production environments
• Data masking in non-production environments
• Separate encryption keys per environment
• Controlled promotion processes
6.2 Code Integration Security
Script Integration:
• Secure JavaScript SDK with Content Security Policy (CSP)
• Subresource Integrity (SRI) for script validation
• Cross-Origin Resource Sharing (CORS) controls
• Regular security updates and patching
API Security:
• OAuth 2.0 with PKCE for API authentication
• Rate limiting and throttling
• Input validation and output encoding
• API gateway with security policies
7. Monitoring and Incident Response
7.1 Security Monitoring
Real-Time Monitoring:
• Security Information and Event Management (SIEM)
• Automated threat detection and alerting
• User behavior analytics (UBA)
• Infrastructure monitoring and alerting
Logging and Auditing:
• Comprehensive audit logs for all system activities
• Centralized log management and analysis
• Log integrity protection and retention
• Regular log review and analysis
7.2 Incident Response
Response Team:
• Dedicated incident response team
• 24/7 security operations center (SOC)
• Escalation procedures and communication plans
• Regular incident response training and drills
Response Procedures:
• Incident classification and prioritization
• Containment and eradication procedures
• Recovery and post-incident analysis
• Regulatory notification requirements
8. Business Continuity and Disaster Recovery
8.1 High Availability
Infrastructure Redundancy:
• Multi-Availability Zone deployment
• Auto-scaling and load balancing
• Database clustering and replication
• Content delivery network (CDN) integration
Service Continuity:
• 99.9% uptime service level agreement
• Automated failover procedures
• Regular maintenance windows with advance notice
• Performance monitoring and optimization
8.2 Backup and Recovery
Backup Strategy:
• Automated daily backups with retention policies
• Cross-region backup replication
• Point-in-time recovery capabilities
• Regular backup testing and validation
Disaster Recovery:
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Documented recovery procedures
• Annual disaster recovery testing
9. Third-Party Security
9.1 Vendor Management
Due Diligence:
• Security assessments for all vendors
• Contractual security requirements
• Regular vendor security reviews
• Incident notification procedures
Key Vendors:
• Stripe: PCI DSS compliant payment processing
• AWS: SOC 2/3 and ISO 27001 certified infrastructure
• AI Providers: Enterprise-grade security and privacy controls
9.2 Data Processing Agreements
All third-party processors are bound by:
• GDPR-compliant data processing agreements
• Standard contractual clauses for international transfers
• Security and confidentiality obligations
• Incident notification requirements
10. Compliance and Certifications
10.1 Current Compliance Status
Regulatory Compliance:
• GDPR compliance with documented procedures
• Estonian data protection law compliance
• EU-US Data Privacy Framework participation
• Regular compliance audits and assessments
10.2 Certification Roadmap
Planned Certifications:
• SOC 2 Type II: Q4 2025
• ISO 27001: Q2 2026
• ISO 27017: Q4 2026 (Cloud Security)
• ISO 27018: Q4 2026 (Cloud Privacy)
11. Security Training and Awareness
11.1 Employee Training
Security Awareness:
• Mandatory security training for all employees
• Quarterly security updates and refreshers
• Phishing simulation and testing
• Incident response training
Role-Specific Training:
• Secure development training for engineers
• Privacy training for customer-facing staff
• Compliance training for management
• AI ethics and safety training
11.2 Customer Education
Security Best Practices:
• Security documentation and guidelines
• Best practices for AI agent usage
• Regular security webinars and updates
• Incident notification and response guidance
12. Contact Information
12.1 Security Contacts
Security Team:
• Email: security@mues.ai
• Response Time: 24 hours for security inquiries
• Emergency: security-emergency@mues.ai
12.2 Reporting Security Issues
Vulnerability Disclosure:
• Responsible disclosure program
• Email: security@mues.ai
• Acknowledgment within 24 hours
• Regular updates on remediation progress
13. Policy Updates
This Security Policy is reviewed annually and updated as necessary to reflect changes in our security posture, regulatory requirements, and industry best practices. Users will be notified of material changes through email and in-app notifications.
Next Review Date: July 2026
This Security Policy demonstrates Mues AI's commitment to protecting customer data and maintaining the highest security standards while delivering innovative agentic AI services. For questions about this policy or our security practices, please contact security@mues.ai.
FAQ
What is Mues AI and how does it work for our users?
Mues AI is an agentic AI that turns every user’s cursor into an AI-powered companion, right inside your SaaS product. End users simply prompt their AI cursor in plain language—asking for tasks, navigation, or help and the AI cursor answers their questions or takes action for them. Whether it’s filling out forms, creating an item, exploring features, or completing multi-step workflows, AI cursor handles any task just like a human would. There’s no need for users to learn the product or hunt for instructions; Mues AI listens, understands, and acts instantly. This gives every user a personalized, effortless experience from day one, allowing them to unlock the full value of your product with ease.
Why should product teams choose Mues AI?
Traditional onboarding tools are often ignored by users—they’re too generic, so users miss your product’s real value or take weeks to reach the “aha” moment. When they need help, users don’t want to search knowledge bases or wait for support; they want immediate answers and action. Mues AI’s AI-powered cursor delivers personalized onboarding and 24/7 instant support, right inside your app. Users can simply ask for help or guidance in plain language, and Mues AI takes action for them. No manuals, no endless docs, no waiting. This means your users get value faster, stay engaged, and never feel stuck by helping your product stand out where it matters most.
How does Mues AI differ from standard onboarding tools?
Traditional onboarding tools use static walkthroughs or tooltips. Mues AI offers a fully AI-driven cursor that listens to users’ natural prompts, answers questions, performs actions, and adapts instantly by delivering live, context-aware help, automation, and onboarding 24/7.
Which tasks can Mues AI execute inside our product?
Mues AI can perform anything a human can do on your product. It can fill out forms, click buttons, select options, create, delete, or update items, and handle any in-app process—just like a real user. Whether it’s onboarding, navigating features, or completing complex workflows, Mues AI takes action on the user's behalf, making every task simpler and faster.
How does Mues AI learn our product’s interface?
Mues AI learns by directly interacting with your SaaS application's live interface—navigating workflows, interpreting on-screen elements, and referencing your product documentation. Its agentic AI maps out actions as a power user would, allowing it to onboard and assist your end users without manual scripting or configuration.
What happens when we update or change our product?
Whenever you ship updates or new features, Mues AI automatically re-explores your interface and refreshes its internal understanding. This means all automations, onboarding flows, and guidance adapt seamlessly—your end users always get real-time, accurate support with no manual adjustment from your team.
Benefits for your product
Increased product adoption and onboarding
Benefits for your users
More productive, satisfied and pro
The Software Interaction Company
to create a world where software adapts to humans, not humans to software.