Trust Center
Mixpeek is built with security at every layer — from database-level tenant isolation to zero-trust network policies. Here's how we protect your data.
Compliance
Observation period initiated. Controls mapped to Trust Service Criteria.
Technical safeguards implemented. BAAs being executed with all subprocessors.
Data processing agreements available. Data subject access request workflow in place.
Security Controls
Technical controls implemented across infrastructure, application, and data layers.
Tenant Isolation
Every query is automatically scoped by organization and namespace at the database layer. Cross-tenant data access is architecturally impossible.
Encryption at Rest
Secrets vault uses Fernet symmetric encryption. Storage credentials are protected with MongoDB Client-Side Field Level Encryption (CSFLE).
Encryption in Transit
All external traffic uses TLS 1.2+. MongoDB enforces requireTLS mode. HSTS is enabled with preload across all domains.
API Key Security
Keys are SHA-256 hashed before storage. Plaintext is shown once at creation. Keys support expiration, revocation, and fine-grained scopes.
Audit Logging
Every significant action is logged to an immutable ClickHouse-backed audit trail with 365-day retention. Actor, action, resource, and changes are all captured.
Network Security
Zero-trust Kubernetes network policies isolate services. GCE metadata server access is blocked. Internal metrics are restricted to private networks.
RBAC & Scoped Access
Four-tier permission model (Read, Write, Delete, Admin) with hierarchical inheritance. API keys support namespace and operation-level scoping with wildcards.
Infrastructure Hardening
Containers run as non-root with dropped capabilities. GKE Workload Identity eliminates static credentials. Resource quotas prevent runaway usage.
Disaster Recovery
Cross-region database backups (us-east1 + us-west1) with 30-day retention. Quarterly DR drills validate backup restorability.
Policies & Documentation
Download our security and compliance policies.
Information Security Policy
Overarching security policy covering access control, encryption, vulnerability management, and vendor management.
Incident Response Plan
Procedures for detecting, containing, and recovering from security incidents, including HIPAA breach notification.
Data Retention Policy
Retention schedules for customer data, operational data, and audit logs, plus deletion procedures and DSAR handling.
Change Management Policy
Procedures for testing, deploying, and rolling back changes to production, including emergency change protocols.
How We Handle Your Data
Your data stays yours
We never use customer data to train models. Your uploaded content, extracted features, and query results are yours alone.
Delete anytime
Delete individual documents, entire namespaces, or your full account. Deletion cascades across all storage layers — vectors, metadata, and files. Backup copies are rotated out within 30 days.
Encrypted everywhere
TLS in transit, AES-256 at rest. Sensitive fields like storage credentials use MongoDB Client-Side Field Level Encryption so even database administrators can't read them.
Full audit trail
Every create, update, delete, and access is logged with actor ID, timestamp, and change details. Audit logs are immutable and retained for 365 days.
Subprocessors
Third-party services that process data on behalf of Mixpeek.
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Google Cloud (GKE) | Compute, orchestration & storage | All application data, database (MongoDB on GCE), vector store (MVS on GCS) | us-east1 |
| AWS S3 | Object storage | Uploaded files & assets | us-east-1 |
| Cloudflare | CDN & DDoS protection | HTTP traffic (transit only) | Global edge |
| PropelAuth | Authentication (Studio) | User identity & session | US |
| Clerk | Authentication (Canvas) | User identity & session | US |
| Stripe | Billing | Payment information | US |
| Sentry | Error monitoring | Error reports & stack traces | US |
| PostHog | Product analytics | Usage events (PII masked) | US |
Questions?
For security inquiries, vulnerability reports, or to request our SOC 2 report, contact us.
[email protected]