Enterprise / Compliance · For regulated and sensitive workloads
Trust by architecture.
Security is the foundation, not a feature bolted on. Per-workspace, per-zone, per-user permissions with AES-256-GCM encryption at rest. Patent-pending spatial council architecture. Audit trails on every mutation. On-premises deployment for the tightest data protection requirements.
// on-premises
Deploy In My Mind in your perimeter.
For organizations where data simply cannot leave your environment, defense, intelligence, life sciences, financial services, government, healthcare, we deploy the full In My Mind platform into your VPC or on-prem infrastructure.
- ✓Same architecture, same code. Not a lesser variant. Same UX your teams already know.
- ✓Your perimeter, your keys. Bring your own KMS. Bring your own AI provider keys. Bring your own self-hosted LLMs.
- ✓Air-gap capable. Runs fully offline with self-hosted OpenAI-compatible models. Updates delivered as signed bundles.
- ✓Single-tenant. No multi-tenant database. No noisy-neighbor concerns. Your data and your data alone.
- ✓Docker Compose blueprint. The same infra we run in production, packaged for your runbook.
DEPLOYMENT OPTIONS
SaaS · Multi-tenant
Hosted by In My Mind LLC. Daily encrypted backups, zero-downtime deploys, 24/7 monitoring.
Dedicated cloud
Single-tenant deployment in our cloud. Your dedicated database, cache, and API instances. Optional dedicated IP and KMS.
On-premises
Deployed into your VPC, your data center, or your air-gapped network. Docker Compose blueprint, signed update bundles, your operations team owns the runbook.
// verticals we serve
For the industries that can't afford to be wrong.
In My Mind is industry-agnostic by design, every vertical has knowledge work that benefits from structured deliberation. But certain industries have specific compliance and security requirements that on-prem deployment, fine-grained access control, and audit trails are tailored for.
FINANCIAL SERVICES
Investment research · compliance · trading desk briefings
FINRA / SOX-ready audit trails. Per-zone information barriers. On-prem to keep MNPI on your wire.
LIFE SCIENCES
Clinical research · regulatory · pharmacovigilance
PHI / IP protection. Connect to validated internal bioinformatics MCP servers. Self-hosted models for sensitive corpora.
DEFENSE · GOVERNMENT
Intelligence analysis · policy · acquisitions
Air-gap capable. US-sovereign-models option. CUI-aware permissions. Audit trail per mutation.
HEALTHCARE
Provider operations · revenue cycle · clinical decision support
HIPAA-compatible deployment patterns. Per-zone PHI controls. BAA available.
LEGAL
M&A · litigation support · contracts
Matter-isolated zones. Privilege protection by access design. Citations on every claim.
EVERY OTHER VERTICAL
Yours, too
Marketing, sales, ops, product, engineering, HR. Most use the SaaS. Some pick dedicated cloud. The mechanism is the same.
// access control
Five layers of access. Independently enforced.
Access control isn't a feature bolted on. It's the architecture. Five independent gates, a misconfiguration in one does not become an opening in the next. Full security architecture →
USER
Identity
SSO · MFA · roles · short-lived tokens with server-side revocation
WORKSPACE
Isolation
Personal vs company hard-isolated at every query path
LEVEL
Classification
Per-member READ/WRITE/ADMIN per floor
ZONE
Topic ACL
Per-user perms per zone · memory propagation respects them
CONVERSATION
Thread guard
Cross-conv reference validation · sandboxed Python
// compliance & controls
Controls that map to how you already work.
Single Sign-On
SAML 2.0 + OIDC. Okta, Azure AD, Google Workspace, Auth0, Ping. Just-in-time provisioning, group-based role mapping.
MFA enforcement
TOTP + backup codes built-in. Workspace admins can require MFA org-wide. Backup codes per-token-attempt limited.
Audit logs
Every mutation logged: who, what, when, from where. Searchable, exportable, retention-configurable. Webhook to your SIEM.
Encryption
AES-256-GCM at rest with workspace-scoped envelope encryption. TLS 1.2+ in transit. Signing keys and OAuth tokens encrypted per-record.
Prompt-injection defense
Multi-layered prompt-injection defense. Untrusted content normalized and blocked before reaching agents or memory.
Code execution sandbox
Code runs in an ephemeral, network-isolated sandbox with strict resource and time limits. Imports and system calls filtered before execution; output sanitized before return.
Refresh-token family detection
Reuse triggers server-side family revocation. Prevents session-replay attacks.
Rate limiting
Per-user + per-IP, tighter on auth + mutations. Webhook-grade limits on Stripe + integration callbacks.
Backup & DR
Daily encrypted backups. Disaster-recovery runbook. Off-site copies. Point-in-time restore on request.
Talk to us
Let's talk about your perimeter.
Whether you're looking at SaaS, dedicated cloud, or on-premises deployment, we'll match the architecture to your data classification, compliance posture, and scale.
Or email us directly: [email protected]
Where Humans and AI collaborate.