Enterprise Security
How MIR protects your organization's data, credentials, and policy infrastructure
Last updated: February 2026
Data Protection
- All data encrypted in transit (TLS/HTTPS only) and at rest (disk-level encryption)
- Credentials, API keys, and external identifiers are cryptographically hashed (SHA-256), never stored in plaintext
- Minimal data storage by design — only the data required for continuity signals is retained
- No behavioral data, raw events, or activity details cross organizational boundaries
Personally Identifiable Information: MIR stores exactly one piece of PII: an email address. This is a deliberate architectural constraint, not a policy preference. No names, profile data, or identity attributes are stored. Participation history is recorded independently of identity and cannot be reverse-engineered into platform activity or personal behavior.
Authentication & Access Control
- Single sign-on (SSO) via WorkOS — your existing identity provider enforces authentication
- SSO sessions enforce 8-hour maximum duration with 1-hour idle timeout
- Role-based access control: OWNER, ADMIN, and ANALYST roles with scoped permissions
- Step-up authentication required for sensitive operations (key rotation, team management)
- Secure, HTTP-only cookies with same-site enforcement and automatic session rotation
Infrastructure
- Hosted on isolated VPC networking with private databases
- Inbound access restricted via firewall allowlists
- Rate limiting and connection caps prevent abuse at every layer
- Production, staging, and development environments fully isolated
Policy API Security
- API keys transmitted over TLS and stored as SHA-256 hashes — never logged or stored in plaintext
- Credentials scoped to your organization with org-level isolation
- Sandbox and production environments fully separated — test without affecting live data
- Tier-based rate limits enforced per endpoint to prevent abuse and ensure availability
- Idempotent request support via
Idempotency-Keyheader, cached for 24 hours
Organizational Controls
- Team management with role-based access — control who can view evaluations, manage keys, or administer the org
- API key rotation without downtime — generate new credentials before revoking old ones
- Sandbox testing environment for validating policy rules before production deployment
- Complete audit logging of all team actions, key operations, and configuration changes
Transparency & Auditability
- All policy evaluations are logged with actor type, decision outcome, and timestamp
- Team action audit trail — every key rotation, role change, and configuration update is recorded
- Dashboard analytics provide visibility into API usage patterns and evaluation volumes
Incident Preparedness
- Instant credential rotation and revocation — compromised keys can be invalidated immediately
- Per-endpoint rate limits with tier-based thresholds contain blast radius
- Structured audit logging of all API access and authentication events for forensic review
- Automated backups and recovery procedures in place
Questions about enterprise security?
We're happy to discuss our security practices and compliance posture in detail.