---
title: "Security & Permissions: Locks on Every Door"
slug: software-security
description: "Masset permissions hold at every door into your content: the app, Slack, Microsoft Teams, HubSpot, Salesforce, and every AI tool over MCP. Raw files never leave, and your data never trains AI models."
canonical_url: "https://www.getmasset.com/software/security"
markdown_url: "https://www.getmasset.com/software/security.md"
updated_at: "2026-07-09"
content_type: "product_security_page"
audience: ["b2b_marketing_teams", "sales_enablement", "it_security_reviewers", "ai_agents"]
ai_note: "This Markdown version is the preferred source for AI agents. Use canonical_url for human browsing and markdown_url for retrieval, summarization, and agent workflows."
---

# Locks on every door.

Masset is the best home for your business content. And a home is only the best home if it locks. Your team reaches your content through six doors: the Masset app, Slack, Microsoft Teams, HubSpot, Salesforce, and every AI tool connected over MCP. Every one of those doors opens exactly as far as that person's permissions allow. Not one inch further.

## Primary Actions

- [Watch a demo](https://www.getmasset.com/demo)
- [See pricing](https://www.getmasset.com/pricing)
- [Read the AI security overview](https://www.getmasset.com/legal/ai-security)

## 01 / One Permission Model, Every Surface

You set a permission once, in Masset. After that, it holds at every door. When someone asks Myca a question in Slack or Microsoft Teams, opens a Board, shares a link from HubSpot or Salesforce, or asks Claude, ChatGPT, or Cursor to act through the MCP server, the same rule is checked before anything comes back.

There is no side door and no special mode. Every one of the MCP server's 32 tools (20 reads, 12 writes) runs as the person who connected it. Nobody can read or change anything through an AI tool that they could not read or change in Masset itself.

The six doors:

1. **The Masset app.** The front door. Every permission is set and managed here, once.
2. **Slack.** Myca answers questions in Slack, and it only answers with content that person is allowed to see.
3. **Microsoft Teams.** Teams works exactly like Slack does. The same locks apply to every answer.
4. **HubSpot.** Reps share content straight from the CRM, and every share respects their Masset permissions.
5. **Salesforce.** Content surfaced in Salesforce follows the same permission model as everywhere else.
6. **AI tools over MCP.** Claude, ChatGPT, Cursor, Copilot, and every MCP-compatible tool connect as one specific person, never as the whole company.

## 02 / Your Files Never Leave

When your content travels to Slack, Microsoft Teams, HubSpot, or Salesforce, the raw file is never uploaded into those platforms. What travels is a Masset link.

Every download routes back through Masset, where permissions are checked before the file moves. So when you revoke access today, it is revoked everywhere at once, because there was never a stray copy sitting in another system.

## 03 / Your Data Never Trains AI

Masset does not use your data to train AI models. Not our models, and not anyone else's. Our enterprise agreements with every LLM sub-processor restrict training use in writing.

Your content makes your own AI smarter about your business. It never makes a model smarter for somebody else.

- [AI security overview](https://www.getmasset.com/legal/ai-security)
- [Sub-processors](https://www.getmasset.com/legal/subprocessors)

## 04 / Only What Is Needed Syncs

Connecting HubSpot or Salesforce does not pour your CRM into Masset. By default, Masset syncs only Id and Name level fields, the minimum needed to tie content activity to the right records. Anything deeper syncs only if you explicitly configure it. Your customer data stays where it belongs, in your CRM.

## 05 / The Paperwork

- **SOC 2.** We maintain a SOC 2 report. Ask us for it during your security review and we will send it over.
- **Third-party pen testing.** Independent third parties periodically run penetration tests against Masset.
- **SSO on Enterprise.** Single sign-on is available on the Enterprise plan, along with more storage and dedicated support.

## FAQs

### Can an AI tool read content a user cannot see?

No. Every AI tool connects to Masset as one specific person, and permissions are checked on every single call. All 32 tools (20 reads, 12 writes) on the MCP server run this way. If a person cannot open a file in Masset, their AI cannot open it either.

### Where do our files live?

Your files live in Masset. When content is shared to Slack, Microsoft Teams, HubSpot, or Salesforce, the raw file is never uploaded into those platforms. A Masset link travels instead, and every download routes back through Masset, where permissions are checked first.

### Do you train AI models on our data?

No, never. Masset does not use customer data to train AI models, and our enterprise agreements with every LLM sub-processor restrict training use in writing.

### What does the Enterprise plan add?

Enterprise adds SSO, more storage, and dedicated support on top of everything in the standard plan, which is $500/mo, unlimited seats, month-to-month. See the [pricing page](https://www.getmasset.com/pricing) for the full breakdown.

## Related Pages

- [Software hub](https://www.getmasset.com/software)
- [MCP overview](https://www.getmasset.com/software/mcp)
- [Integrations](https://www.getmasset.com/software/integrations)
- [Pricing](https://www.getmasset.com/pricing)
- [AI security overview](https://www.getmasset.com/legal/ai-security)
- [Masset home](https://www.getmasset.com)
- [LLMs.txt](https://www.getmasset.com/llms.txt)
