Security Policy

• Production database credentials are stored as encrypted environment variables — never in code
• API keys for Anthropic, Stripe, Resend, and PostHog are stored in Railway environment variables
• MindFrame staff do not have routine access to individual user session data
• Admin routes are protected by separate authentication beyond standard user auth
• Git repository has branch protection on main — all changes require review

• Input validation via NestJS class-validator DTOs on all API endpoints
• Rate limiting on AI-heavy endpoints (Anthropic API calls, coach, personalized challenges)
• Global exception filter prevents stack traces from leaking in production responses
• Content Security Policy headers on all web responses
• CORS policy restricts API access to authorised origins
• SQL injection prevention via Prisma ORM parameterised queries
• Push notification VAPID keys securely stored; subscriptions validated server-side

• Challenge answers and reasoning text are sent to Anthropic's Claude API for scoring — bound by Anthropic's zero-data-retention API agreement
• AI responses are cached in Redis with no PII in cache keys
• Your cognitive data is never used to train AI models (ours or Anthropic's)
• Coach session context is limited to the last 3 sessions — not your full history

• Personal data breaches are investigated immediately upon detection
• Affected users and relevant authorities are notified within 72 hours of confirmed breach (as required by GDPR)
• Post-incident reviews are conducted and findings used to improve security posture
• Contact: security@usemindframe.com

We appreciate security researchers who help keep MindFrame safe. If you've discovered a vulnerability, please report it responsibly:

As MindFrame grows, we are committed to:

• Pursuing SOC 2 Type II certification (planned for 2026/27)
• Publishing an annual transparency report covering security incidents and government data requests
• Running regular penetration tests against production infrastructure