Security
What we have built and what we rely on
Infrastructure Security
Provided by our infrastructure partners
- AES-256 encryption at rest — Cloudflare R2
- TLS encryption in transit — Vercel and Cloudflare
- SOC 2 certified infrastructure — Cloudflare, Vercel, and Supabase each hold independent SOC 2 certifications
Application Security
Built into MandateRoom
- Cryptographically signed audit log (HMAC-SHA256) — every access event is signed; tampering is mathematically detectable
- Dynamic watermarking — every document page contains the viewer's email, IP address, and timestamp
- Role-based access controls — admin, reviewer, and viewer roles with per-document permission enforcement
- Instant access revocation — removing a member blocks access on the next request, no cache residual
- NDA acceptance tracking — timestamp and IP address recorded at the moment of acceptance
- IP address whitelisting — restrict access to specific IP ranges or corporate networks
- Append-only audit log — database-level trigger prevents any modification or deletion of audit records
What we do not have
We believe honesty builds more trust than inflated claims.
- We are not SOC 2 certified
- We do not have a dedicated security team
- We do not have 24/7 security monitoring
- We do not carry cyber liability insurance
- MandateRoom is a solo-operated product
To report a security concern:
hello@mandateroom.com
We respond to all security reports within 48 hours.