Skip to content

TRUST & POLICIES

The honest details.

What we do, what we don't, how we handle your data, how we handle mistakes. No legal-ese where we can avoid it.

HOW WE TAKE THIS SERIOUSLY

  • SOC 2 Type II · In progress

    Annual SOC 2 Type II audit underway with our auditor. Status updated as we complete each control.

  • HIPAA-aware · BAAs in place

    Sub-processors that touch PHI (Anthropic, Supabase, Stripe) operate under signed BAAs. Encrypted at rest + in transit; access logged separately.

  • PCI-DSS · Stripe-managed

    All card data handled by Stripe (PCI-DSS Level 1). Card numbers never touch our servers.

  • TLS 1.3 · Everywhere

    All traffic over TLS 1.3 minimum. HSTS preload enabled. Strict CSP on auth pages.

  • Encryption at rest · AES-256

    Database, storage, and backups encrypted at rest. Sensitive PII encrypted at the column level.

Security questions: security@mumm.com