Security & governance

Enterprise controls for procurement data and AI governance.

Mithra is designed for the security, governance, and auditability requirements of enterprise procurement environments. Human-in-the-loop AI review, regional data hosting, access controls, and full audit trails are standard, not optional add-ons.

Request a security overview Book a demo

Encryption in transit & at rest SSO & RBAC Regional hosting (EU / UK) Full audit trail

Security and governance

Six pillars of enterprise-grade procurement data security

Data protection

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Data is isolated per customer, no shared data infrastructure between tenants.

Regional hosting

Data residency on your terms, including EU and UK hosting. If procurement data must stay in a jurisdiction, that's a standard deployment option.

Access controls

SSO via SAML 2.0 and OAuth 2.0. Role-based access controls define exactly who can view, review, approve, or export data. All access logged.

Audit trails

Every classification, supplier merge, taxonomy change, override, and export is logged with timestamp, user ID, and action detail. Exportable for review.

Human-in-the-loop governance

AI generates classifications and normalizations, it does not publish them automatically. Every output passes a structured review workflow. Humans take precedence.

AI model oversight

Customer-specific models tuned to your taxonomy and data patterns. Your data is never used to train shared models, a hard architectural constraint.

Responsible AI

Explainable AI, every decision with a reason code

Enterprise procurement can't operate on a black box. When a supplier is merged or a spend line is classified, the business needs to know why, not just what. Mithra's AI governance is built around three principles.

ExplainabilityEvery classification carries a 0–100% confidence score and a human-readable reason code.
ReviewabilityLow-confidence decisions and significant changes are surfaced in a review queue. Nothing goes live until approved.
AuditabilityEvery human override, and every AI decision left unchanged, is logged permanently for compliance.

app.mithra.ai / review-queue

Globex Trading LtdInvoice 77412005 · € 1.2M

Critical

Atlas suggestion Uncategorized 38%

Why: No confident taxonomy match possible new supplier entity. Held for a human decision before publication.

Delpharm Milano SRLInvoice 89880001 · € 95.6M

Needs review

Atlas suggestion

Manufacturing›Contract Mfg

73%

Why: Supplier name matches two taxonomy branches; spend pattern favors Contract Manufacturing.

Bechtle Schweiz AGInvoice 23000342 · € 62.5M

Informational

Atlas suggestion

IT Hardware›Compute

95%

Why: High-confidence auto-classification, logged with reason code for your permanent audit trail.

Access management

Granular controls, from procurement team to IT admin

Data steward, review and approve classifications, normalizations, and taxonomy changes. Cannot export raw data.
Category manager, view classified spend and Pulse opportunities for assigned categories. Cannot modify rules.
Procurement admin, configure taxonomy, set classification rules, manage data sources and user roles.
IT admin, configure SSO, manage API connections, control export settings, access audit logs.
Read-only analyst, view dashboards and opportunity outputs. Cannot access underlying transactions.

Single Sign-On & identity management

Mithra supports SSO via SAML 2.0 and OAuth 2.0 for integration with your corporate identity provider, Okta, Azure AD, Google Workspace, Ping Identity. Multi-factor authentication is supported and can be enforced at the organizational level.

SAML 2.0OAuth 2.0OktaAzure ADGoogle WorkspacePing IdentityMFA

Data handling

How Mithra handles your data, from ingestion to deletion

Ingestion

Transferred via encrypted API, DB, or SFTP into an isolated customer environment, not shared storage.

Processing

Atlas and Pulse process within your isolated environment. No data crosses customer boundaries.

Review & export

Approved outputs are exportable in your chosen formats. Every export is logged.

Retention

Retained for the agreement term plus 90 days, or as agreed. Shorter windows configurable.

Deletion

Deleted within 30 days of termination, confirmed in writing. Immediate deletion on request.

Compliance

Built for enterprise compliance requirements

GDPR-compliant processing

Designed for GDPR compliance for EU/UK customers, with a Data Processing Agreement provided for all customers.

Regional data hosting

EU and UK hosting options available as standard for data residency requirements.

Customer-specific AI models

No cross-customer data sharing. Your models are built and tuned only on your data.

Data Processing Agreement

A full DPA is provided for all customers and available for legal review on request.

SpendMatters Future 5 Google Cloud Partner

BSI ISO/IEC 27001 Information Security Management Certified

Mithra is certified to ISO/IEC 27001 for information security management by BSI View our certificate in the BSI client directory.

FAQ

Security questions, answered.

Does Mithra store our data on shared infrastructure?

No. Each Mithra customer has an isolated data environment. Your procurement data is never processed on shared infrastructure alongside other customers' data.

Where is our data hosted? Can we choose our region?

Mithra supports regional data hosting. EU and UK hosting options are available as standard. If you have specific data residency requirements, discuss them with our team during onboarding.

What compliance frameworks does Mithra support?

Mithra's data handling is designed to ensure GDPR compliance, and we provide a Data Processing Agreement to all customers. Mithra is certified to ISO/IEC 27001 by BSI. Our certificate is listed in the BSI client directory.

Can we review and audit all AI decisions Mithra makes?

Yes. Every classification, normalization, enrichment, and taxonomy decision is logged with a timestamp, confidence score, reason code, and the human reviewer who approved or overrode it. Full audit logs are exportable.

What happens to our data if we end our contract?

Your data is retained for 90 days after termination and then deleted from Mithra's systems, with written confirmation. We can arrange immediate deletion on request.

Does Mithra use our data to train shared AI models?

No. Mithra builds customer-specific models for each customer's taxonomy and data patterns. Your data is never used to train models that benefit other customers, this is a hard architectural constraint, not a policy preference.

Share this page with your security team.

We'll provide a full security overview, our Data Processing Agreement, and answers to your IT and compliance questions.

Request a security overview Book a demo