Skip to content

TRUST & POLICIES

Security

Last updated: April 15, 2026

We treat your data and your money like a trust. Here's how we do it.

On this page
  1. Infrastructure
  2. Access controls
  3. Data protection
  4. Payments
  5. PHI handling
  6. Observability
  7. Incident response
  8. Audits
  9. Report a security issue

Infrastructure

  • All hosting on Vercel (web) and Supabase (database) — both SOC 2 Type II certified
  • Database encryption at rest (AES-256)
  • All traffic TLS 1.3 minimum, HSTS preload
  • Strict CSP headers, frame-busting, no third-party scripts on auth pages

Access controls

  • 2FA required for all admin accounts
  • Row-level security (RLS) on every multi-tenant database table
  • Service-role keys never used in browser-shipped code
  • Production access requires VPN plus hardware key for engineering staff

Data protection

  • Documents stored in encrypted Supabase Storage with signed URLs
  • Voice recordings encrypted at rest, accessible only via short-lived signed URLs
  • Sensitive PII fields encrypted at column level
  • Backups encrypted, 30-day retention

Payments

  • All card data handled by Stripe (PCI-DSS Level 1)
  • We never see or store card numbers
  • ACH and wire processed through Stripe Connect

PHI handling

  • BAAs in place with all sub-processors that may touch PHI (Anthropic, Supabase, Stripe)
  • Encrypted at rest and in transit
  • Access logged and audited
  • Limited to staff with documented business need

Observability

  • Sentry for error tracking
  • Axiom for structured logs
  • Audit log of every meaningful action retained 7 years
  • Anomaly detection on auth, payment, and admin actions

Incident response

  • 24/7 on-call rotation
  • Notification within 72 hours of any confirmed breach affecting a user
  • Quarterly incident-response drills

Audits

  • Annual SOC 2 Type II audit (in progress for v1)
  • Annual penetration test
  • Continuous vulnerability scanning

Report a security issue

security@mumm.com (PGP key on request). For details on our bug-bounty program, contact us.