Data Security

How 1MLX protects your listings, deal data, and member information.

1MLX is a closed cooperative. Your listing data, deal activity, and member information stay inside the exchange. We don't sell data, we don't share it with third parties for marketing, and we don't use it to compete with you. This page explains the specific measures in place — and the limits of what we can guarantee.

Platform Infrastructure

Where your data lives and how it's protected at the infrastructure level.

Hosting
Cloudflare-managed infrastructure with DDoS protection, edge caching, and global CDN. All traffic served over HTTPS.
Encryption
TLS 1.3 for data in transit. AES-256 encryption for data at rest. Database connections encrypted end-to-end.
Access Control
Role-based permissions. Firm administrators control who within their brokerage can view, edit, or submit listings.
Authentication
Verified enrollment process. Email-based account recovery. Session tokens with automatic expiration.

Listing Data Protection

Your listings are the core asset. Here's how we treat them.

Visibility
Listings are visible only to verified 1MLX members. No public scraping, no search engine indexing of listing details.
Ownership
Your firm's listings remain your firm's data. 1MLX does not claim ownership of listing content submitted to the exchange.
Bulk Export
Only authorized firm administrators can export their own firm's listing data. Cross-firm bulk downloads are not permitted.
Deletion
Firms can remove their listings at any time. Deleted listings are purged from active systems within 30 days.

Space Cadet — AI Assistant

Space Cadet is a dedicated 1MLX instance running on our servers. Your questions, the database queries, and the answers it generates all stay within 1MLX infrastructure — nothing is routed through an external AI provider.

What Space Cadet can access: Listing data, market statistics, and research that members have authorized for the exchange. It does not have access to your firm's internal deal pipeline, financial records, or communications.

What Space Cadet does not store: Conversations are processed in-session. Space Cadet does not build a persistent profile of your queries or share your questions with other members.

What we're still deciding: Whether conversation history will be retained for your own reference (opt-in), and the exact retention window. We'll publish this before launch.

Voice Processing

Space Cadet can read responses aloud. Like the AI itself, voice synthesis runs within 1MLX infrastructure.

On-premise processing
Voice generation runs on 1MLX servers. Your questions, the data behind the answers, and the spoken responses are all processed internally — nothing is sent to an external service.
No external transmission
The text-to-speech pipeline operates within the same secure environment as Space Cadet itself. No member data, response content, or voice interactions leave 1MLX infrastructure.
Voice is optional
Members can choose to read Space Cadet's responses as text or hear them spoken. Voice interaction is always a member's preference, never a requirement.
Demo note
The current demo uses a hosted voice service for preview purposes and does not reflect the production security architecture described here.

What We Don't Do

Some things are off the table. Period.

We don't sell your data. Not to data aggregators, not to tech companies, not to anyone. The exchange exists to serve its members, not to monetize their information.

We don't use listing data to train AI models. Your listings are not training material. Space Cadet is trained on market knowledge and research — not on the proprietary details of your deals.

We don't share one firm's activity with another. Your search patterns, listing views, and Space Cadet queries are not visible to other member firms.

We don't allow public access. There is no "free tier" or public search. Every user is a verified broker at an enrolled firm.

What's Still Being Finalized

We'd rather tell you what we're still working on than pretend everything is settled.

SOC 2 certification for 1MLX itself. We're building toward this but don't have it yet. Our infrastructure providers hold their own certifications. We'll pursue ours as the platform matures.

Formal penetration testing. Scheduled for pre-launch. Results will be shared with founding members.

Data Processing Agreement for members. A DPA specific to 1MLX will be available before production launch, covering how we handle your data, retention periods, and your rights.

Incident response plan. Being drafted. Will include notification timelines, member communication protocols, and remediation procedures.

A note to founding members: You're helping us build this. If there's a security concern we haven't addressed, or a measure you'd expect to see here, tell us. This page will evolve as the platform does — and your input shapes what goes on it.