— Security & Trust

How we protect what you give us.

Last updated: 2026-05-20

We're honest about where we are. Mallín is pre-SOC 2, late-stage design partner. The architecture is built for enterprise security; the formal attestations are being sequenced. This page describes what's true today and what's in progress, with no aspirational claims dressed up as current state.

Architecture in one paragraph

Mallín is a multi-tenant SaaS application. Each customer is a separate tenant; data is isolated at the database row level. The product is hosted on Vercel (US-East), backed by Supabase (Postgres, US-East), authenticated through Clerk, and delivers AI inference via Anthropic's Claude API. CRM integrations (HubSpot live; Salesforce, Pipedrive planned) are OAuth-based and write through to your CRM as the system of record — Mallín does not maintain a parallel data plane (see AI Governance for the doctrine).

Encryption

  • In transit: TLS 1.3 on all customer-facing endpoints. HTTP requests are redirected to HTTPS. HSTS enforced.
  • At rest: AES-256 via our infrastructure providers (Supabase, Vercel). All customer data, backups, and audit logs encrypted.
  • Secrets: API keys, OAuth tokens, and other secrets stored in Vercel's encrypted environment variable store. Never committed to source control. Rotated on personnel changes.

Authentication & access control

  • Customer authentication: handled by Clerk (SOC 2 Type 2). Email + password by default; MFA available (TOTP, recovery codes).
  • Multi-tenant isolation: every database query filters by tenant_id. Row-Level Security (RLS) policies enforce isolation at the database layer as defense in depth.
  • Mallín team access: production database access is limited to engineering staff (currently the founder) via service-role credentials stored in a password manager. All production access is logged.
  • Least privilege: API routes use scoped credentials. Frontend code never sees service-role tokens.

Multi-tenant isolation

Every table that stores customer data carries a tenant_id column. Application code filters by tenant on every read and write. Database-level Row-Level Security policies enforce the boundary as defense in depth — even an application bug cannot leak data across tenants without also bypassing Postgres RLS.

Audit of every RLS policy across every customer-data table is on the near-term roadmap (target: prior to first paid customer). We will publish the audit summary on this page when complete.

Audit logging

We log security-relevant events: authentication attempts, CRM writes (who wrote what to where, when), AI calls (prompt + response metadata, not full content), data exports, and account modifications. Audit logs are retained for the life of the account.

In progress — Centralized audit log infrastructure with customer-facing query API is on the near-term roadmap.

Backups & disaster recovery

  • Database backups: Supabase performs continuous backups with point-in-time recovery for the last 7 days (free tier) or 30 days (paid tier).
  • Recovery time objective (RTO): < 4 hours for full database restore.
  • Recovery point objective (RPO): < 5 minutes data loss for unplanned events.
  • Code/configuration: source code and deployment configuration in GitHub; Vercel maintains immutable deployment history for rollback.

Incident response

We maintain an incident response playbook covering: detection, triage, containment, customer notification, post-incident review.

Notification commitment: if we become aware of a security incident affecting your data, we will notify you within 72 hours with the facts we have at that time, and we will continue to update you as the investigation progresses.

Report a suspected vulnerability: hello@mallin.io with "Security" in the subject. We acknowledge within 24 hours.

Data deletion

Customer-initiated data deletion: email hello@mallin.io from an account-owner email address. We acknowledge within 24 hours and complete deletion within 30 days, including backups.

On account closure: all customer data is purged from active systems within 30 days and from backups within an additional 30 days, per the Privacy Policy retention schedule.

Compliance posture

FrameworkStatusNotes
SOC 2 Type 1PlannedFormal engagement scoped for after first paid customer. Architecture is SOC 2-aligned today; the attestation lags.
GDPRAlignedDPA available on request. Subject-rights workflow operational. Standard Contractual Clauses for EU→US transfers where applicable.
CCPA / CPRAAlignedSubject-rights workflow operational. We do not sell personal information.
HIPAANot in scopeMallín is not currently designed for protected health information. Do not upload PHI.
PCI DSSNot in scopeMallín does not collect or process payment card data.

Vendor security questionnaires

If your security team needs a SIG, CAIQ, or custom questionnaire filled out, or if you need us to sign a DPA or NDA before exchange, email hello@mallin.io with the request. We turn these around within 48 hours during design-partner phase.

What we will not do

  • Sell or rent your data.
  • Use your deal content to train shared AI models.
  • Share your data with other Mallín customers.
  • Provide your data to law enforcement without legal process; if compelled by valid process, we will notify you unless prohibited.
  • Maintain a parallel data plane that diverges from your CRM (see AI Governance and Terms).