Security & Permissions

Locks on every door.

Masset is the best home for your business content. And a home is only the best home if it locks. Your team reaches your content through six doors: the Masset app, Slack, Microsoft Teams, HubSpot, Salesforce, and every AI tool connected over MCP. Every one of those doors opens exactly as far as that person's permissions allow. Not one inch further. This page explains how the locks work and the paperwork behind them.

Last verified July 2026

01 / One permission model

One permission model, enforced at every surface.

You set a permission once, in Masset. After that, it holds at every door. When someone asks Myca a question in Slack or Microsoft Teams, opens a Board, shares a link from HubSpot or Salesforce, or asks Claude, ChatGPT, or Cursor to act through the MCP server, the same rule is checked before anything comes back.

There is no side door and no special mode. Every one of the MCP server's 32 tools (20 reads, 12 writes) runs as the person who connected it. Nobody can read or change anything through an AI tool that they could not read or change in Masset itself.

01 / Door

The Masset app

This is the front door. Every permission is set and managed here, once.

02 / Door

Slack

Myca answers questions in Slack, and it only answers with content that person is allowed to see.

03 / Door

Microsoft Teams

Teams works exactly like Slack does. The same locks apply to every answer.

04 / Door

HubSpot

Reps share content straight from the CRM, and every share respects their Masset permissions.

05 / Door

Salesforce

Content surfaced in Salesforce follows the same permission model as everywhere else.

06 / Door

AI tools over MCP

Claude, ChatGPT, Cursor, Copilot, and every MCP-compatible tool connect as one specific person, never as the whole company.

02 / Files stay home

Your files never leave.

When your content travels to Slack, Microsoft Teams, HubSpot, or Salesforce, the raw file is never uploaded into those platforms. What travels is a Masset link.

Every download routes back through Masset, where permissions are checked before the file moves. So when you revoke access today, it is revoked everywhere at once, because there was never a stray copy sitting in another system.

03 / No training, ever

Your data never trains AI models.

Masset does not use your data to train AI models. Not our models, and not anyone else's. Our enterprise agreements with every LLM sub-processor restrict training use in writing.

Your content makes your own AI smarter about your business. It never makes a model smarter for somebody else.

04 / Minimal sync

Only what is needed syncs.

Connecting HubSpot or Salesforce does not pour your CRM into Masset. By default, Masset syncs only Id and Name level fields, the minimum needed to tie content activity to the right records.

Anything deeper syncs only if you explicitly configure it. Your customer data stays where it belongs, in your CRM.

05 / The paperwork

The paperwork holds up too.

01 / Proof

SOC 2

We maintain a SOC 2 report. Ask us for it during your security review and we will send it over.

02 / Proof

Third-party pen testing

Independent third parties periodically run penetration tests against Masset.

03 / Proof

SSO on Enterprise

Single sign-on is available on the Enterprise plan, along with more storage and dedicated support.

06 / Questions

The questions security reviews ask us first.

Can an AI tool read content a user cannot see?

No. Every AI tool connects to Masset as one specific person, and permissions are checked on every single call. All 32 tools (20 reads, 12 writes) on the MCP server run this way. If a person cannot open a file in Masset, their AI cannot open it either.

Where do our files live?

Your files live in Masset. When content is shared to Slack, Microsoft Teams, HubSpot, or Salesforce, the raw file is never uploaded into those platforms. A Masset link travels instead, and every download routes back through Masset, where permissions are checked first.

Do you train AI models on our data?

No, never. Masset does not use customer data to train AI models, and our enterprise agreements with every LLM sub-processor restrict training use in writing.

What does the Enterprise plan add?

Enterprise adds SSO, more storage, and dedicated support on top of everything in the standard plan, which is $500/mo, unlimited seats, month-to-month. See the pricing page for the full breakdown.

Bring your security team.
We like these questions.

30 minutes with our team and you will know exactly how the locks work with your stack, your permissions, and your AI tools.