myai

Trust & Security

Last updated: June 2, 2026

This page describes how Make Yourself AI handles customer data, what security measures we have in place, and where we are on the path to formal certifications. We aim to be straightforward about what is and isn’t in place today, so you can make an informed evaluation.

Where data lives

All production infrastructure runs on Google Cloud Platform in the United States. We use Google Cloud Storage for files and artifacts, Cloud SQL (PostgreSQL) for structured data, Firestore for session state, and BigQuery for analytics. AI model processing runs on Vertex AI (Gemini) within the same Google Cloud environment.

We do not currently host data outside the United States. Our customers and the data subjects whose information they process are U.S.-based.

How data is protected

  • Encryption in transit. All traffic between your browser, our platform, and our infrastructure uses TLS 1.2 or higher.
  • Encryption at rest. Data stored in Google Cloud is encrypted at rest by default. Customer-managed encryption keys (CMEK) for production workloads are on the roadmap as part of our SOC 2 preparation.
  • Access controls. Administrative access uses Workload Identity Federation for service accounts (no long-lived static keys), least-privilege IAM, and multi-factor authentication for human admins. Routine pipeline service accounts cannot delete production data.
  • Backups and recoverability. Object versioning is enabled on production GCS buckets. Cloud SQL uses point-in-time recovery and daily snapshots. Source code and infrastructure-as-code are backed up daily to a separate Google Cloud project.
  • Logging and monitoring. Application access and activity are logged. Anomaly detection and alert coverage are being built out as part of our SOC 2 program.

Service status and reliability

Real-time service status, uptime history, and incident notifications are available at status.makeyourself.ai.

How we use AI providers

Our platform uses Google Vertex AI (Gemini) for AI model processing. Under the Vertex AI service terms:

  • We do not train AI models on customer data, and Google does not use Vertex AI API customer data to train its foundation models.
  • Vertex AI does not retain customer prompts or responses beyond what is necessary to process the request and meet Google’s legal obligations.
  • AI processing for Make Yourself AI customers runs in the United States.

Sub-processors and data sharing

The third parties we use to deliver the platform are listed in our Sub-Processor List. We notify customers at least 30 days before adding or replacing a sub-processor that processes Customer Personal Data.

Data retention and deletion

Retention windows for account data, analytics data, and enterprise customer data are described in our Privacy Policy. Enterprise customers can request data export or deletion within the windows described in our Terms of Service and the Data Processing Agreement.

Compliance and certifications

Make Yourself AI is currently pre-certification. We are actively working toward SOC 2 Type I and aim to complete it within the next two to three quarters. We maintain an internal compliance program that maps our controls to NIST SP 800-171 Rev 2, and we use that as our day-to-day reference until SOC 2 is in hand.

If your evaluation requires a signed security questionnaire, a Data Processing Agreement (DPA), or evidence of specific controls, contact us at security@makeyourself.ai. We will be straightforward about which controls are in place today and which are in progress.

Reporting a vulnerability

We welcome reports from the security community and run a Vulnerability Disclosure Program (VDP). If you believe you have found a security vulnerability in a Make Yourself AI service, please report it to security@makeyourself.ai. Our security.txt file lists our preferred contact and disclosure preferences.

Scope

The following Make Yourself AI properties are in scope:

  • The Make Yourself AI web application at app.makeyourself.ai
  • The Make Yourself AI API that serves the application
  • This marketing site at makeyourself.ai and www.makeyourself.ai

The following are out of scope:

  • Third-party services we rely on but do not operate (for example, our cloud, status-page, community, and email providers). Please report those to the relevant provider.
  • Findings produced by automated tools or scanners without a working proof of concept.
  • Denial-of-service or volumetric attacks, and any testing that degrades service for others.
  • Social engineering of our team, customers, or vendors, including phishing.
  • Physical attacks against our facilities or staff.
  • Reports of missing best practices (for example, security headers or email-policy records) without a demonstrated security impact.

What we ask

  • Make a good-faith effort to avoid privacy violations, data destruction, and any interruption or degradation of our services.
  • Only interact with accounts you own or have explicit permission to test. Do not access, modify, or retain data that belongs to others.
  • Give us a reasonable amount of time to investigate and remediate an issue before disclosing it publicly or to any third party.
  • Comply with all applicable laws.

Safe harbor

When you conduct security research and vulnerability disclosure in accordance with this policy, we consider that research to be:

  • Authorized with respect to any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
  • Authorized with respect to any relevant anti-circumvention laws, and we will not bring a claim against you for circumventing technological measures used to protect the in-scope services;
  • Exempt from restrictions in our Terms of Service and Acceptable Use Policy that would interfere with good-faith security research, which we waive on a limited basis for that purpose; and
  • Lawful, helpful, and conducted in good faith.

You are expected to comply with all applicable laws. This safe harbor applies only to legal claims under our control and does not bind independent third parties. If at any time you are uncertain whether your research is consistent with this policy, ask us at security@makeyourself.ai before going further. This language is adapted from the disclose.io framework.

What you can expect from us

We do not currently offer monetary rewards for reports; this is a vulnerability disclosure program rather than a paid bug bounty. We still value responsible disclosure. When you report in good faith under this policy, we will acknowledge receipt within two business days, keep you informed as we investigate, and coordinate with you on timing before any public disclosure once an issue is resolved.

Contact

Security: security@makeyourself.ai
Privacy / data subject requests: privacy@makeyourself.ai
Legal / contracts / DPA requests: legal@makeyourself.ai