Commitments
- No training use, ever. Your content is never used to train models, ours or a third party's.
- Encryption in transit and at rest. TLS 1.3 for all network traffic; AES-256 for data at rest.
- Per-review reviewer scope. External reviewers see only the specific review assigned to them.
- Customer isolation. Data is scoped per customer at the query layer, not only in application code.
- Audit log as product. Every material action produces a tamper-evident audit record, exportable on demand.
Certifications and programs
- SOC 2 Type I — in progress. Type II targeted for year two.
- GDPR — we process personal data in accordance with the EU GDPR where applicable. Standard Contractual Clauses are available for international transfers.
- Sub-processor list — available on request to customers and prospects.
Infrastructure
- Hosting — Supabase-managed PostgreSQL, with row-level security available where customer use cases require it.
- Identity — WorkOS for authentication (email/password during v1; SAML, OIDC, and SCIM rolling out in v2).
- Payments — Stripe; card numbers never touch our infrastructure.
- Secrets — stored in managed secret stores; rotated on personnel change or suspected exposure.
Data handling
- Attested immutability. Once a review is attested, the record is immutable. Edits create new review versions rather than modifying prior attested records.
- PII redaction option. Customers can configure PII redaction before review content reaches external reviewers.
- Retention. Review content and attestations are retained for the life of the customer relationship plus the retention period required by applicable law (typically 7 years for audit purposes). Detail in our Privacy Policy.
- Deletion. On customer request, we will delete personal data within the timeframes required by law. Audit records may be retained to the extent required by legal or contractual obligation.
Operational security
- Access to production systems is restricted, logged, and periodically reviewed.
- Laptops used by personnel are encrypted and managed.
- Code changes go through peer review and automated CI before production.
- Dependencies are monitored for known vulnerabilities; critical issues are patched on an expedited timeline.
Reviewer controls
- Internal reviewers — authenticated via your directory. Access to review content is scoped to the specific review they are assigned.
- External reviewers — vetted individually; sign NDAs and a reviewer code of conduct before joining the network; see only the specific review assigned to them, not broader customer context.
Reporting a vulnerability
If you believe you have discovered a security vulnerability in Mairit, please email security@mairit.ai. Include:
- A clear description of the issue and its potential impact.
- Steps to reproduce, including any proof-of-concept artifacts.
- Your name and contact information (optional, but helpful for follow-up).
Good-faith research is welcome. We will not pursue legal action against researchers who report vulnerabilities through the channel above, act in good faith, avoid privacy violations or service disruption, and give us reasonable time to remediate before public disclosure.
Response commitment
- We will acknowledge receipt of your report within 2 business days.
- We will provide an initial assessment and expected remediation timeline within 10 business days.
- We will keep you informed of remediation progress and coordinate disclosure timing with you where appropriate.
Contact
For security questions and vulnerability reports: security@mairit.ai.
For general privacy questions: privacy@mairit.ai.