Mycelium runs banking, public-sector, airline, and national-retail workloads. Enterprise-grade security is table stakes — and every claim below is what enterprise procurement actually verifies.
The Information Security Management System covers The development and operation of SaaS systems for transportation and shipment management. That includes the route optimization engine, the autonomous dispatcher, multi-carrier orchestration, dynamic pricing, white-label consumer and employee apps, and the operational tooling that runs them. Customers under active contract can request the current surveillance-audit summary.
ISO 27001 is the management system. These are the specific architectural properties that make enterprise security reviews pass.
Customer data is partitioned per tenant. Rule bundles, orders, vehicles, and routes are not reachable across tenant boundaries. The enforcement mechanism is implemented per our ISO 27001 ISMS scope; details available under DPA on request.
Standards-based authentication. Access tokens are short-lived; scoping, revocation, and rotation are implemented per our ISO 27001 ISMS scope; details available under DPA on request.
All traffic is TLS 1.2 or higher. Data at rest is encrypted on the storage layer. Key management is implemented per our ISO 27001 ISMS scope; details available under DPA on request.
State-changing API calls are recorded. Read APIs are logged. Log retention, format, rate controls, and access controls are implemented per our ISO 27001 ISMS scope; details available under DPA on request.
Most buyers assume a routing platform wants direct access to their fleet telematics. Mycelium doesn't. Integrated fleet and telematics systems remain the source of truth; Mycelium is the presentation layer that turns that data into operational views.
Mycelium touches position data in flight, not at source. The GPS chain of custody stays with the systems the customer already contracts with.
The list below covers sub-processors engaged for the marketing website at
www.mycelium.ai. The platform sub-processor list is governed
by each customer's Data Processing Agreement and lives outside this page.
| Sub-processor | Category | Purpose | Data location | Transfer mechanism |
|---|---|---|---|---|
| Google LLC | Analytics | Google Analytics 4, page-view and session metrics after consent | United States | EU-US Data Privacy Framework, UK Extension; SCCs as fallback |
| Google LLC (Google Cloud) | Application infrastructure | Cloud Function processing of contact-form submissions and email delivery | United States | EU-US Data Privacy Framework, UK Extension; SCCs as fallback |
We update this list when sub-processors change. For the current platform sub-processor list, the DPA template, penetration-test summaries, or surveillance-audit extracts, contact info@mycelium.ai.
We respond to security questionnaires within one business day during the term of an active evaluation. For broader privacy detail, see the privacy policy.
If we become aware of a personal-data breach affecting your information we will notify the relevant supervisory authority within 72 hours where required under GDPR Article 33, and notify you directly without undue delay where the breach is likely to result in a high risk to your rights and freedoms under GDPR Article 34. Equivalent commitments apply under the corresponding provisions of Israeli Privacy Protection Law. See the privacy policy for the full breach-notification commitment.
Send security reports to security@mycelium.ai. We acknowledge within one business day and coordinate disclosure with the reporter through remediation. Confidential coordination during triage; public credit at remediation when the reporter agrees.
We answer the questionnaire, share the certificate, walk your security team through the data-flow model, and get you to a signed DPA. Typical timeline is one to two weeks.