TRUST & POLICIES
The honest details.
What we do, what we don't, how we handle your data, how we handle mistakes. No legal-ese where we can avoid it.
Privacy Policy
What data we collect, how we use it, who we share with.
Terms of Service
The legal agreement between you and Mumm.
Security
How we protect your data and your money.
Data Handling
Specifics on PHI, payment data, document storage, and sub-processors.
Sub-processors
Third-party services we share data with so Mumm can run. Includes purpose, data scope, region, and BAA status where relevant.
Agent Policy
What our AI agent will and won't do on your behalf.
Refunds & Disputes
When you get money back, when you don't.
Acceptable Use
What you can and can't use Mumm for.
Bug Bounty
Find a security issue in Mumm? Report it through the bug bounty program. Modest rewards for valid reports, faster response for higher-severity issues.
Contact & Reports
Report issues, request data, exercise your rights.
HOW WE TAKE THIS SERIOUSLY
SOC 2 Type II · In progress
Annual SOC 2 Type II audit underway with our auditor. Status updated as we complete each control.
HIPAA-aware · BAAs in place
Sub-processors that touch PHI (Anthropic, Supabase, Stripe) operate under signed BAAs. Encrypted at rest + in transit; access logged separately.
PCI-DSS · Stripe-managed
All card data handled by Stripe (PCI-DSS Level 1). Card numbers never touch our servers.
TLS 1.3 · Everywhere
All traffic over TLS 1.3 minimum. HSTS preload enabled. Strict CSP on auth pages.
Encryption at rest · AES-256
Database, storage, and backups encrypted at rest. Sensitive PII encrypted at the column level.
Security questions: security@mumm.com