This page is deliberately honest about what is in place today versus what is on the roadmap. Malveon does not claim certifications it has not earned.
In place today
- OAuth-based connections you authorize and can revoke.
- AES-256-GCM encryption of stored OAuth tokens at rest.
- HMAC signature verification on Slack, GitHub, Jira, and Linear webhooks.
- Per-tenant data isolation on every query.
- Local-only source scanning in the Malviont extension (code never leaves your editor).
On the roadmap
Formal certifications such as SOC 2 are a roadmap priority. We will claim them only after a third-party audit signs them off, not before. The same applies to HMAC verification for the connections that do not yet sign by default (Microsoft Teams, Confluence, Google Docs).
If a specific control matters for your evaluation, email support@malveon.com and we will tell you exactly where it stands.