Enterprise Security & Governance

Security and governance

Six pillars of enterprise-grade security

Data protection

Single-tenant by default, never co-mingled. Encrypted in transit (TLS 1.2+) and at rest (AES-256).

Regional hosting

Data residency on your terms, including EU and UK. A standard deployment option.

Access controls

SSO via SAML 2.0 and OAuth 2.0. Role-based access for who can view, approve, or export. All access logged.

Audit trails

Every classification, merge, taxonomy change, override, and export logged with timestamp and user. Exportable.

Human-in-the-loop governance

AI proposes, it never auto-publishes. Every output passes a structured review. Humans take precedence.

AI model oversight

Customer-specific models tuned to your data. Never used to train shared models, a hard architectural constraint.

Responsible AI

Explainable AI, every decision with a reason code

No black box. Every merge or classification shows why, not just what, built on three principles.

ExplainabilityEvery classification carries a 0–100% confidence score and a human-readable reason code.
ReviewabilityLow-confidence decisions and significant changes are surfaced in a review queue. Nothing goes live until approved.
AuditabilityEvery human override, and every AI decision left unchanged, is logged permanently for compliance.

Globex Trading LtdInvoice 77412005 · € 1.2M

38%

Why: No confident taxonomy match, a new supplier entity. Held for a human decision before publication.

Held for human review

Bechtle Schweiz AGInvoice 23000342 · € 62.5M

95%

Mithra agent suggestion

IT Hardware›Compute

Why: High-confidence classification, logged with a reason code for your permanent audit trail.

Approved · reason code logged

Access management

Granular controls, minimal IT lift

Start from a secure data export, no integration project needed. When you're ready, it plugs into your SSO and identity provider with role-based access for every user.

Data steward, review and approve classifications, normalizations, and taxonomy changes. Cannot export raw data.
Category manager, view classified spend and Opportunity Agents opportunities for assigned categories. Cannot modify rules.
Procurement admin, configure taxonomy, set classification rules, manage data sources and user roles.
IT admin, configure SSO, manage API connections, control export settings, access audit logs.
Read-only analyst, view dashboards and opportunity outputs. Cannot access underlying transactions.

Single Sign-On & identity management

Mithra supports SSO via SAML 2.0 and OAuth 2.0 for integration with your corporate identity provider, Microsoft (Entra ID / Azure AD), Okta, Google Workspace, or Ping Identity. Multi-factor authentication is supported and can be enforced at the organizational level.

SAML 2.0OAuth 2.0Microsoft Entra IDOktaGoogle WorkspacePing IdentityMFA

Data handling

How Mithra handles your data, from ingestion to deletion

You don't need a full system integration to begin, a one-off, secure data export is enough to get started. Connect live sources whenever you're ready; the lifecycle below applies either way.

1

Ingestion

Start from a one-off file export, or connect live via encrypted API, database, or SFTP, into an isolated, single-tenant environment.

2

Processing

Atlas and Opportunity Agents process within your isolated environment. No data crosses customer boundaries.

3

Review & export

Approved outputs are exportable in your chosen formats. Every export is logged.

4

Retention

Retained for the term of your agreement. Retention windows are defined per contract to match your policies.

5

Deletion

Deleted on termination per your agreement, with written confirmation. Timelines are set to match your requirements.

Compliance

Built for enterprise compliance requirements

GDPR-compliant processing

Designed for GDPR compliance for EU/UK customers, with a Data Processing Agreement provided for all customers.

ISO/IEC 27001 certified

Certified by BSI to ISO/IEC 27001, the international gold standard for information security management in Europe. Its controls map closely to SOC 2, so it answers most SOC 2-based security questionnaires.

EU AI Act ready

Human-in-the-loop review, explainability with reason codes, and full audit logging align with the EU AI Act's transparency and oversight expectations for AI systems.

Regional data hosting

EU and UK hosting options available as standard for data residency requirements.

Customer-specific AI models

No cross-customer data sharing. Your models are built and tuned only on your data.

Data Processing Agreement

A full DPA is provided for all customers and available for legal review on request.

BSI ISO/IEC 27001 Information Security Management Certified

Mithra is certified to ISO/IEC 27001 for information security management by BSI, view our certificate in the BSI client directory.

FAQ

Security questions, answered.

Does Mithra store our data on shared infrastructure?

No. Each Mithra customer runs in a single-tenant, fully isolated environment. Your procurement data is never co-mingled with or processed on shared infrastructure alongside other customers' data.

Where is our data hosted? Can we choose our region?

Mithra supports regional data hosting. EU and UK hosting options are available as standard. If you have specific data residency requirements, discuss them with our team during onboarding.

What compliance frameworks does Mithra support?

Mithra's data handling is designed to ensure GDPR compliance, and we provide a Data Processing Agreement to all customers. Mithra is certified to ISO/IEC 27001 by BSI, the European gold standard for information security, whose controls overlap heavily with SOC 2 (so it answers most SOC 2-based questionnaires). Our certificate is listed in the BSI client directory.

How does Mithra address the EU AI Act?

Mithra is built around the principles the EU AI Act emphasizes for AI systems: human-in-the-loop review, explainability (every decision carries a confidence score and a reason code), and complete, exportable audit logs. AI proposes; a person approves before anything is published.

Can we review and audit all AI decisions Mithra makes?

Yes. Every classification, normalization, enrichment, and taxonomy decision is logged with a timestamp, confidence score, reason code, and the human reviewer who approved or overrode it. Full audit logs are exportable.

What happens to our data if we end our contract?

Your data is retained and deleted according to the terms of your agreement, with written confirmation of deletion. Retention and deletion timelines are set to match your policies, and immediate deletion can be arranged on request.

Does Mithra use our data to train shared AI models?

No. Mithra builds customer-specific models for each customer's taxonomy and data patterns. Your data is never used to train models that benefit other customers, this is a hard architectural constraint, not a policy preference.

Share this page with your security team.

We'll provide a full security overview, our Data Processing Agreement, and answers to your IT and compliance questions.

Request a security overview Book a demo

Enterprise controls for procurement data and AI.