Docs

Appearance

Data Handling & Access

This page explains what Modulos stores, who can access it, and how integrations are scoped in practical terms.

For formal due diligence materials, security questionnaires, and compliance reports, see the Modulos Trust Center.

What data Modulos stores

In most deployments, Modulos stores a mix of:

  • Governance records: projects, frameworks, requirements, controls, statuses, assignments, and comments.
  • Risk quantification data: monetary risk values, inputs, outputs, and rollups used for decision-making.
  • Evidence artifacts: uploaded files and structured notes attached to controls, requirements, assets, and tests.
  • Audit trail: who changed what, when, and in which scope.

Access control model

Modulos uses role-based access control across two scopes:

  • Organization scope: organization-level configuration and user management.
  • Project scope: day-to-day governance work inside an AI system or organization project.

Organization Admins typically have full access to view and edit organization configuration and can manage user access. Project access is granted separately.

Related: User Management, Project Access

Auditability and accountability

Modulos is built for evidence-first governance:

  • status changes are tracked and attributable
  • comments and logs create a reviewable narrative
  • exports package evidence and status for audit workflows

Related: Audit Trail, Reports & Exports

Integrations and secrets

Integrations are designed around clear identity boundaries:

  • Sources: service accounts attached to projects for stable automation and monitoring.
  • Connectors: user accounts connected to users for user-scoped access in Scout.
  • API tokens: user tokens for programmatic access to the Modulos API.

Secrets should be treated like passwords:

  • API token values are shown once and can be revoked.
  • Source credentials should be created with least privilege and rotated regularly.
  • Connectors can be revoked by disconnecting them and by revoking access in the external system.

Related: Integrations

Privacy and content boundaries

Modulos helps teams keep governance work aligned with permission boundaries:

  • Sources are scoped to a project and intended for service-to-service access.
  • Connectors reflect the connected user’s permissions in the external system.
  • Evidence and governance records are only visible to users with access in the relevant scope.

If you have strict data classification requirements, establish internal rules for what evidence can be uploaded and how sensitive content should be redacted.

AI features and human review

Modulos uses AI to accelerate governance work, but the system is designed for accountability:

  • AI outputs are suggestions and should be reviewed before being used as evidence.
  • Human review workflows provide traceability for approvals and decisions.

Related: Human in the Loop, Code of Responsible AI

Customer responsibilities

Security and privacy are shared responsibilities. Common best practices include:

  • use dedicated service accounts for sources
  • store API tokens in a secret manager
  • apply least-privilege access in external systems
  • upload evidence that is appropriate for the intended audience, and redact when needed

Get help

If you suspect an issue, need a security package for vendor review, or want guidance on best practices for your deployment, contact Support.