Moonborn.
Moonborn — Trust

Can you trust this?

Moonborn is designed for teams that need clear answers before putting AI characters into real products: where data is stored, who can access it, how it can be exported, and which security scope is supported.

Question 1

Where is your data stored?

Workspace data is managed according to the applicable region and retention policies based on product tier and contract scope.

Persona, chat, config, and audit records can be managed with region and retention settings. For enterprise customers, region selection, retention, and access boundaries can be defined by contract.

Limit. Not every region or compliance requirement is self-serve. If you need a specific residency or retention policy, verify it before rollout.

Question 2

How easy is it to leave?

Persona definitions and related records can be exported in portable formats. Moonborn’s scoring models and internal weights remain part of the product.

If you leave Moonborn, you can export persona definitions, related history, and audit data to the extent allowed by your plan and policy. Export provides portability; it does not promise the same scoring behavior on another platform.

Limit. Exported data preserves definitions and records; it does not preserve the full behavior of Moonborn’s consistency engine on another platform.

Question 3

Who can see what?

Important reads, writes, config changes, and team events can be recorded in audit logs with extended retention for enterprise use.

Persona access, chat sessions, config changes, API key changes, and team invitations can be tracked for security review, incident response, and compliance workflows.

Limit. Moonborn is not a SIEM. Advanced anomaly detection and internal security correlation should connect audit exports to your own security tools.

Question 4

Which standards are supported?

Security and compliance scope is stated clearly: supported, in-progress, and contract-dependent items are not presented as the same thing.

GDPR / KVKK
Supported processes
Processes are designed around access, correction, deletion, and portability requests.
SOC 2 Type II
Preparation / in scope
A completed report should only be claimed when the report is ready.
HIPAA BAA
Enterprise review required
Use cases involving health data require a separate contract, security review, and supported operations scope.
PCI DSS
Pass-through
Moonborn does not directly process card data; payment infrastructure runs through Stripe.
On-prem / self-hosted
Not in v1 scope
The first version is designed as a hosted product.

Limit. If a required standard is not listed, ask before procurement. If a requirement is not supported, the answer should be explicit.

Where does the infrastructure run?

Moonborn is designed around widely used infrastructure providers:

  • ·Vercel — application hosting
  • ·Neon Postgres + pgvector — database and vector support
  • ·Upstash Redis — cache and rate limiting
  • ·Cloudflare — WAF, DDoS, and bot protection
  • ·Sentry — error tracking
  • ·Trigger.dev — background jobs
  • ·Stripe — billing
  • ·Resend — transactional email

Enterprise security questions — team@moonborn.co