MasonSecurity
Last updated: May 19, 2026
How we protect the plan sets, documents, and data you trust us with.
Our Commitment
Security is not a feature we added after the fact. Plan sets contain sensitive project data, owner information, and proprietary designs. We treat the documents your team uploads with the same care a reviewer treats the permit itself. This page explains how we protect your data at every layer of the platform.
Encryption
All data transmitted between your browser and Mason AI is encrypted using TLS 1.2 or higher. Documents stored on our servers are encrypted at rest using AES-256. Encryption keys are managed separately from the data they protect. We do not store encryption keys on the same systems as the encrypted data.
Data Storage
Plan sets and supporting documents are stored in isolated cloud storage with strict access controls. We use infrastructure providers that maintain SOC 2 Type II certification. Data is stored in the United States. We do not transfer your documents to servers outside the United States without your explicit consent.
Data Retention
Uploaded documents are retained for as long as your account is active and for 30 days following account closure, after which they are permanently deleted. You may request deletion of specific documents at any time through the platform. Deletion requests are processed within 72 hours. Backups containing deleted files are purged within 30 days of the deletion request.
Access Controls
Access to your documents is restricted to your account and to Mason AI employees who require access to provide support or operate the service. We enforce the principle of least privilege: internal access is role-based, audited, and granted only for the minimum time necessary. We do not share your documents with third parties for any purpose other than operating the service.
AI and Your Data
Documents you upload to Mason AI are used solely to generate review outputs for your account. We do not use your plan sets to train AI models. Mason AI's models are trained on licensed code content and synthetic data only. Your documents are processed and then discarded from active memory. They are never shared across accounts.
Authentication
Mason AI uses industry-standard authentication practices including secure session tokens, automatic session expiration, and rate limiting on login attempts. We recommend enabling multi-factor authentication, which is available on all plan tiers. Passwords are hashed using bcrypt and never stored in plain text.
Third-Party Services
We use a limited set of vetted third-party services to operate the platform, including cloud infrastructure, payment processing, and analytics. Each provider is evaluated for security posture before integration. We do not sell your data to any third party and we do not use your data for advertising purposes. A full list of subprocessors is available on request at hello@withmason.ai.
Vulnerability Disclosure
If you discover a potential security vulnerability in Mason AI, please report it to security@withmason.ai before disclosing it publicly. We ask for a reasonable disclosure window so we can investigate and address the issue. We do not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.
Incident Response
In the event of a confirmed security incident that affects your data, we will notify affected users within 72 hours of discovery. Notifications will describe what happened, what data was involved, what we have done to contain the incident, and what steps you can take. We maintain an incident response plan that is reviewed and tested annually.
Compliance
Mason AI operates in accordance with applicable data protection laws, including the California Consumer Privacy Act (CCPA). We maintain internal security policies, conduct annual risk assessments, and review our security practices as the platform evolves. Enterprise customers may request a copy of our security documentation by contacting hello@withmason.ai.
Questions
Security questions, audit requests, and vulnerability reports can be directed to security@withmason.ai. General questions about how we handle your data can be directed to hello@withmason.ai or reviewed in our Privacy Policy.