MUSYN

Compliance & Security

Last updated: March 21, 2026

Infrastructure Security

Data Encryption

AES-256 encryption at rest. TLS 1.3 for all data in transit. Database connections are encrypted end-to-end between application servers and the data layer.

Access Control

Row-level security is enforced across all 28 database tables. Organization-scoped isolation ensures complete data separation between clients. A user at Label A cannot access any data belonging to Label B — enforced at the database level, not the application layer.

Authentication

Email-based authentication with leaked password protection (cross-referenced against known breach databases). Session tokens are validated server-side on every request. OAuth single sign-on available for enterprise clients.

Rate Limiting

AI processing endpoints (intelligence briefs, copilot, enrichment) enforce per-user rate limits to prevent abuse and ensure equitable resource allocation across all clients.

Audit Logging

Immutable audit log with SHA-256 hash chain. Every significant action — roster changes, brief generation, copilot queries, alert configurations — generates a tamper-evident log entry. Audit logs are append-only and cannot be modified or deleted.

Data Handling

Data Sources

Musyn aggregates publicly available data from streaming platforms, social media APIs, and chart databases. No user-uploaded audio or media files are stored or processed.

Organization Data Isolation

Each organization's roster, metrics, briefs, and copilot sessions are completely isolated. Cross-organization data leakage is prevented at the database level through row-level security policies scoped to the authenticated user's organization.

Data Portability

Organizations can export all data — roster, metrics, briefs, and copilot history — at any time. Exports are generated on demand and delivered in standard formats.

Account Deletion

Users can delete their account at any time. Organization owners can request full organization data deletion, including all associated artist data, briefs, and historical records.

Payment Security

Enterprise clients are invoiced directly. No credit card data is processed or stored by Musyn. When self-serve payment is available, all card processing will be delegated to a PCI-DSS Level 1 certified payment processor. Musyn will never have access to raw card numbers.

Certifications & Standards

In Progress

SOC 2 Type II

Aligned With

GDPR, ISO 27001

Not Required

PCI-DSS (no direct card processing)

Contact

For security inquiries: security@musyn.io

For legal inquiries: legal@musyn.io

Back to sign in