Infrastructure
- All hosting on Vercel (web) and Supabase (database) — both SOC 2 Type II certified
- Database encryption at rest (AES-256)
- All traffic TLS 1.3 minimum, HSTS preload
- Strict CSP headers, frame-busting, no third-party scripts on auth pages
Access controls
- 2FA required for all admin accounts
- Row-level security (RLS) on every multi-tenant database table
- Service-role keys never used in browser-shipped code
- Production access requires VPN plus hardware key for engineering staff
Data protection
- Documents stored in encrypted Supabase Storage with signed URLs
- Voice recordings encrypted at rest, accessible only via short-lived signed URLs
- Sensitive PII fields encrypted at column level
- Backups encrypted, 30-day retention
Payments
- All card data handled by Stripe (PCI-DSS Level 1)
- We never see or store card numbers
- ACH and wire processed through Stripe Connect
PHI handling
- BAAs in place with all sub-processors that may touch PHI (Anthropic, Supabase, Stripe)
- Encrypted at rest and in transit
- Access logged and audited
- Limited to staff with documented business need
Observability
- Sentry for error tracking
- Axiom for structured logs
- Audit log of every meaningful action retained 7 years
- Anomaly detection on auth, payment, and admin actions
Incident response
- 24/7 on-call rotation
- Notification within 72 hours of any confirmed breach affecting a user
- Quarterly incident-response drills
Audits
- Annual SOC 2 Type II audit (in progress for v1)
- Annual penetration test
- Continuous vulnerability scanning
Report a security issue
security@mumm.com (PGP key on request). For details on our bug-bounty program, contact us.