Above average — notable defaults or data retention policies worth reviewing before wider use. See .
Mastra's privacy policy contains a copy-paste error referencing a competitor's product (modal.com), no standalone Terms of Service is publicly linked, and cloud inference is silently routed through OpenRouter — resolve all three before processing any sensitive data in cloud mode.
Score Summary
Claim Accuracy4/5
Data & Privacy3/5
Security Posture3/5
Transparency4/5
Key Findings
›The privacy policy at mastra.ai/privacy-policy contains a verbatim copy-paste artifact referencing 'the modal.com website', indicating the document was not written specifically for Mastra and raises doubts about its accuracy and legal standing.
›No publicly linked Terms of Service document exists on mastra.ai; the search result for 'Maestra ToS' resolves to a different unrelated product (maestra.ai), leaving contractual obligations for cloud users undefined.
›CVE-2025-61685 (directory traversal in @mastra/mcp-docs-server, CVSS high, CWE-548) was publicly disclosed in September 2025 and patched in v0.17.0; users on older versions remain exposed and should upgrade immediately.
›Cloud inference (Memory Gateway and model routing) is provided via OpenRouter at 'Market Rate + 5.5%'; this third-party routing means LLM prompt and completion data transits OpenRouter's infrastructure, which is not disclosed on the main product pages.
›The core framework is Apache 2.0 licensed (changed from ELv2 in July 2025), but enterprise/auth features in ee/ directories remain under a separate proprietary Mastra Enterprise License requiring a paid licence for production use — teams must audit which directories they depend on.