Security

1. Security Principles

Cajal's security program is built around the following principles:

• least-privilege access to systems and data;
• logical separation of customer materials where appropriate;
• controlled collaborator access to minimize unnecessary exposure of customer context;
• encryption in transit and at rest using provider-supported controls;
• secure handling of customer-submitted materials, including prompts, files, evaluation materials, and model outputs;
• integrity protection for formally verified mathematical datasets and proof artifacts;
• incident response readiness for confidentiality, integrity, and availability events.

Cajal reviews and updates its security practices as its infrastructure, customer requirements, and business operations evolve.

2. Infrastructure and Data Storage

Cajal uses a cloud-based architecture for storing and processing customer-related data and internal operational data.

Cajal currently uses MongoDB Atlas for internal data storage. Cajal also uses Google Workspace for company document storage and business operations, and Slack for internal communications. These systems are managed using access controls and internal data handling policies.

Where applicable, customer datasets, metadata, and evaluation materials are logically separated to reduce the risk of unintended cross-customer exposure.

3. Customer Data and Confidentiality

Cajal is designed to protect customer-specific materials and evaluation workflows.

Customer materials are not intentionally exposed to other customers. Where Cajal uses employees, contractors, collaborators, or formalization partners, access is limited to the information needed to complete the assigned work.

When feasible, Cajal uses a blind task protocol: collaborators may receive the mathematical task or formalization objective needed to perform verification work without receiving unnecessary customer identity, model identity, proprietary prompt context, or customer-internal metadata.

Cajal does not use customer-submitted content, proprietary mathematical queries, prompts, uploaded files, or evaluation materials to create datasets, benchmarks, verification artifacts, or services for other customers except with the customer's permission or as expressly stated in a written agreement.

4. Formal Verification and Data Integrity

Because Cajal provides formally verified mathematical data, dataset integrity is a core security objective.

Cajal's workflows are designed to protect against unauthorized changes to mathematical statements, proofs, metadata, and related verification artifacts.

Where applicable, Cajal uses version-controlled artifacts, deterministic or reproducible verification environments, pinned dependencies, review workflows, and isolated execution environments to support the integrity and reproducibility of formal verification work.

Suspected unauthorized modification of mathematical datasets, proofs, verification artifacts, or source materials is treated as a high-priority security event.

5. Access Control and Personnel Security

Cajal applies access controls based on the principle of least privilege.

Access to production systems, customer materials, and internal repositories is limited to authorized personnel with a business need. Cajal uses role-based access controls where available and reviews access when personnel roles change.

Cajal requires multi-factor authentication for access to core business and production systems where supported. Credential sharing is prohibited.

Cajal personnel, contractors, and authorized collaborators are required to follow Cajal's security and data handling expectations, including confidentiality obligations, approved-tooling requirements, credential protection, and prompt reporting of suspected security incidents.

6. Encryption, Logging, and Monitoring

Cajal uses encryption to protect data in transit and at rest.

Data transmitted to and from Cajal systems is protected using TLS where supported. Data stored in managed cloud infrastructure, including MongoDB Atlas and Google Workspace, is protected using provider-supported encryption at rest.

Cajal maintains logs and monitoring processes to support service reliability, security investigation, and incident response. Depending on the system, logs may include authentication activity, administrative actions, database access events, application errors, and operational telemetry.

Cajal does not publish detailed logging configurations or internal monitoring rules publicly for security reasons.

7. Incident Response

Cajal maintains an incident response process for identifying, triaging, containing, investigating, and remediating security incidents.

Cajal classifies incidents based on severity, including events involving potential unauthorized access, data integrity risk, service availability impact, or suspected compromise.

In the event of a confirmed security incident involving customer data, Cajal will notify affected customers without undue delay and in accordance with applicable law and contractual obligations.

Cajal's incident response process may include containment, credential rotation, forensic review, root cause analysis, remediation, customer notification where required, and post-incident review for significant incidents.

8. Subprocessors, Privacy, and Data Processing

Cajal uses selected third-party service providers to operate its business and provide its services. These may include infrastructure, database, document storage, communications, billing, security, analytics, and support providers.

A current list of Cajal's third-party subprocessors is available on our Subprocessor List.

Cajal's processing of personal information is described in our Privacy Policy. Where Cajal processes personal data on behalf of a customer as a processor, service provider, or similar role under applicable privacy law, such processing is governed by Cajal's Data Processing Addendum or another written data processing agreement between the parties.

9. Compliance and Additional Documentation

Cajal designs its security and privacy practices to support enterprise customer requirements and applicable data protection obligations.

Cajal relies on infrastructure and service providers that maintain their own security and compliance programs. Cajal remains responsible for the controls it implements within its own applications, accounts, workflows, access policies, and data handling practices.

Cajal does not currently maintain SOC 2 or ISO 27001 certification. Customers may request additional security documentation under an appropriate confidentiality agreement.

10. Vulnerability Reporting and Contact

If you believe you have discovered a security vulnerability affecting Cajal, please contact:

security@caj.al

Please include enough information for us to understand and reproduce the issue. Cajal asks that researchers avoid accessing, modifying, deleting, or exfiltrating data that does not belong to them and avoid actions that could degrade service availability.

For security, privacy, or support questions: