Skip to content
MindDigitize
Last updated May 20, 2026

Security & compliance

How we secure customer data. Encryption, multi-tenancy, infra, subprocessors, certifications — the honest list.

This page documents how MindDigitize secures customer data. It's updated when our controls change — current as of the date at the top.

We're a small team that takes security seriously, which means two things: the controls below are real and verifiable, and we won't claim certifications we don't have.

Encryption

All customer data is encrypted in transit with TLS 1.3 (no fallback to deprecated ciphers) and at rest with AES-256-GCM using AWS-managed keys (aws/s3, aws/rds). Enterprise customers can elect customer-managed keys (CMKs) via AWS KMS.

The public viewer enforces HTTPS for every request via HSTS with a 1-year max-age and preload enabled.

Authentication

The editor supports two authentication paths: email-and-password with bcrypt hashing (cost factor 12), and SAML 2.0 / OIDC SSO via WorkOS (Scale and Enterprise tiers). Two-factor authentication via TOTP is available on every tier and enforced for admin roles on Enterprise.

Session tokens are JWTs signed with HS256, rotated every 12 hours, and bound to the user's IP class (/24 for IPv4, /56 for IPv6).

Multi-tenancy

Every record in the database carries an organizationId enforced at the repository layer (not the application layer). Cross-tenant queries are prevented by repository-level guards that fail closed if the organizationId is missing. Cross-tenant data leakage is a P0 incident; we test the boundary in CI on every merge.

Infrastructure

We run on AWS in us-east-1 (US data plane) and eu-west-3 / Paris (EU data plane). Compute uses ECS Fargate; storage is RDS Postgres (with read replicas) and S3 with versioning + object-lock for backup buckets.

The marketing site you're reading runs on Vercel; it has no access to customer data and is treated as untrusted from the data-plane's perspective.

Backups

Database backups are taken hourly (point-in-time recovery enabled), retained for 35 days. File storage is replicated cross-AZ within region. Backups are tested by a monthly restore-to-staging drill — the drill log is available to auditors on request.

Monitoring

Production has continuous monitoring across application logs (Datadog), infrastructure metrics (CloudWatch), and security events (AWS GuardDuty + custom CloudTrail analysis). On-call rotation covers 24×7 for P0/P1 incidents on Scale and Enterprise plans.

Vulnerability disclosure

If you've found a security issue, email security@minddigitize.com with details. Encrypted communication via PGP is available — the public key is at /security/pgp.

We commit to:

  • Acknowledging your report within 2 business days.
  • Triaging within 5 business days.
  • Notifying you when the issue is resolved.
  • Not pursuing legal action against good-faith research that stays within our scope.

We do not currently run a paid bounty programme. We do publicly credit researchers (if they want it) and ship swag.

Subprocessors

Customer data is processed by the following subprocessors. Updates to this list are announced 30 days in advance to subscription admins.

  • Amazon Web Services — compute, storage, KMS, IAM. Data regions: us-east-1, eu-west-3.
  • Stripe — billing. Never sees floor-plan or analytics data.
  • Resend — transactional email (account, billing, incident notifications).
  • WorkOS — SSO (SAML/OIDC) for Scale and Enterprise.
  • Datadog — application logs and APM. Logs are scrubbed of PII before ingest.
  • Cloudflare — DNS, WAF, DDoS mitigation. Does not terminate TLS for editor or API traffic.

Certifications

We are completing the SOC 2 Type II audit (window opens July 2026; report expected Q4 2026). We do not yet hold ISO 27001 or HIPAA BAA capability — both are on the 2027 roadmap. We do not claim compliance with frameworks we have not audited against.

GDPR: we operate as a data processor under Article 28, with a Data Processing Addendum available on request.

Incident notification

If a security incident affects your data, we notify your designated security contact within 72 hours of confirmation, and your subscription admins within 24 hours of the initial notification. The post-mortem is delivered within 10 business days.

Contact

Security questions, vulnerability reports, audit-report requests: security@minddigitize.com.

Questions? Email security@minddigitize.com.