Security & Data Handling

Trust Center

Security & data handling

A defense contractor’s security lead should be able to clear this vendor in a coffee break. The free Muster Score assessment runs entirely in your browser: no file uploads, no controlled data, and nothing you enter reaches Muster servers. The paid Readiness Sprint works only from a descriptions-only assessment you choose to send us — never CUI, never file uploads of system contents. Below is exactly what is true today, the one place your own data moves on purpose, and — clearly separated — what arrives later with hosted accounts.

Browser-local · zero data custodyNo uploads, any tierNever accepts CUI

Architecture · true today

What happens to your data in the free tier

The launch product is a static site with no backend that holds your answers. The assessment is computed on your device; the result never has to leave it.

Zero data custody

The free Muster Score assessment runs entirely in your browser. Your answers are held in your own device’s localStorage — they are never transmitted to, or stored on, Muster servers. Clear your browser data and the assessment is gone; there is no copy on our side to request, breach, or subpoena.

No file uploads, ever

There is no upload control anywhere in the product, by design and in every tier. You cannot attach a network diagram, a policy PDF, or a marked document, because the feature does not exist. This removes the single most common path by which sensitive material reaches a vendor.

Describe systems, never CUI

The assessment asks you to describe whether and how a control is implemented — not to paste the controlled data itself. Free-text fields carry an on-screen CUI screen reminding you to keep controlled unclassified information out. Environment descriptions are treated as sensitive, but they are not CUI, and the product is built to keep it that way.

Encrypted in transit (TLS)

The site is served over HTTPS with TLS managed by the host; certificates are provisioned and renewed automatically. Traffic between your browser and the static site is encrypted in transit today.

The no-uploads and no-CUI boundaries are product facts enforced in the design, not policy promises layered on top — there is no code path that would accept a file or route controlled data off your device in the free tier.

Free vs. paid · the one place your data moves

When does anything you entered leave your browser?

There is exactly one path by which your assessment can reach us, and you trigger it yourself. The free Muster Score assessment never leaves your browser. The paid Level 2 Readiness Sprint begins only after you choose to export your own assessment and email it to us — and even then, what you send is a descriptions-only file, never CUI and never an upload of your system’s contents.

Free

Muster Score assessment

Browser-only. Your answers stay in your device’s localStorage and are never transmitted to Muster. We never receive them, so there is nothing on our side to store, breach, or subpoena. Nothing about the free tier asks you to send us anything.

Paid Sprint

You export, you email

After purchase, you complete the full assessment, click “Export my assessment (JSON)” on the Documents page, and email that file to our support inbox. The export is a descriptions-only record of how you answered — the same compliance metadata you typed, screened on export to keep CUI out. We then draft and quality-review your SSP, POA&M, CUI scoping memo, and SPRS walkthrough from it.

This is consistent with “no file uploads, ever”: the platform still accepts nothing — there is no upload control in any tier. For the Sprint, you transmit your own exported descriptions out-of-band by email, on purpose. You are never asked to send CUI, marked documents, or copies of your systems; if you are unsure whether something is controlled, don’t send it — describe it.

Hosted tier · planned — not yet live

What arrives with hosted accounts

None of the following is live today. These are the protections we will stand up before the first row of customer data is ever persisted — when the platform tier begins saving assessments for hosted accounts. Until then, none of it applies, because there is nothing stored to protect.

Planned — not yet live

Encryption at rest

Planned

When hosted accounts persist saved assessments, that data will be stored in managed Postgres with encryption at rest, alongside encryption in transit. Today nothing customer-entered is persisted, so there is no data at rest to encrypt.

Tenant isolation (row-level security)

Planned

Hosted accounts will use database row-level security so a tenant can only ever read its own rows — one customer can never see another’s data.

Minimal retention + self-serve deletion

Planned

The hosted tier will define a retention period and offer self-serve deletion, so you can remove your data yourself, subject only to narrow legal-hold carve-outs (e.g. tax and financial records).

LLM route under a DPA, with the CUI screen + human QA

Planned

When the platform tailors document prose with a language model, that route will run under a Data Processing Agreement, with the CUI input screen on what goes in and a human quality review on what comes out. Nothing customer-entered goes to any third party except the LLM provider under that DPA.

Subprocessors

Who else could touch your data

The free assessment uses none of these for the data you enter. The table below is the full forward-looking list, with each provider’s status made explicit. Rows marked for the hosted tier are not yet live.

Subprocessor	Purpose	Data it sees	Status
Stripe	Payment processing	Card last-4 and charge status	Live at paid launch
Plausible	Cookieless aggregate analytics	Aggregate page views — no PII	When analytics enabled
Email provider	Mailing list	Email addresses of list subscribers	When the list launches
LLM provider	Document-prose tailoring	Assessment text you submit for a paid deliverable	Paid deliverables / hosted tier — not yet live
Supabase / Postgres	Accounts and saved assessments	Saved assessment records for hosted accounts	Hosted tier — not yet live

Change notice: we will update this page and its effective date before adding a new subprocessor or materially changing how an existing one handles your data.

Coordinated disclosure

Found a security issue? Tell us.

We welcome good-faith security research. If you believe you have found a vulnerability, please report it privately so we can fix it before it is disclosed publicly.

We will not pursue or support legal action against researchers who act in good faith, avoid privacy violations and service disruption, and do not access or modify data beyond what is needed to demonstrate the issue. We ask that you give us a reasonable amount of time to investigate and remediate before any public disclosure, and that you do not exploit the issue beyond proof of concept.

Email reports to hello@passmuster.co. Please include enough detail to reproduce the issue.

This is our security contact and coordinated-disclosure commitment, not a paid bug-bounty program. See also our Privacy Policy.