Security & Compliance
Built for OSINT, not data scraping. Honest answers to the questions enterprise buyers actually ask.
Last updated: May 2026
On this page
What we do with data
What we don't do
Email auth (SPF / DKIM / DMARC)
GDPR & DPA
SOC 2
Sub-processors
Subject removal
Encryption
Auth & access
Infrastructure
Incident response
Contact
What we do with data
MentionFox runs open-source intelligence (OSINT) on public information. Exactly what we collect and where it lives:
| What we collect | Why | Where it lives |
|---|---|---|
| Public profiles X, LinkedIn, blogs, news, podcasts | Source material for vetting reports — every claim cited to a public URL. | Supabase Postgres (Sydney region), encrypted at rest. |
| Subject identifiers Name + company you typed in | Disambiguates the report subject. Doesn't leave the report row. | Same. |
| Your outbound email log Messages you sent through MentionFox | Reply tracking, sequence pacing. Yours, not the recipient's. | Same. Deletable on request. |
| Account & usage Email, billing, feature usage | Run your account, bill, support, improve the product. | Same. Stripe for payment data only. |
What we don't do
- We don't scrape private databases. Every source we touch is public. No paid data brokers, no leaked credentials, no purchased lists.
- We don't store EU/UK private personal data outside what's already public. If it's on someone's LinkedIn or in a published article, we may cite it. If it's behind a login wall or in a private database, we don't have it.
- We don't sell or rent a "lead list." Every subject is researched on demand against a name you provided. We have no pre-built contact database for sale.
- We don't send email from our servers. Outbound goes through your warmed sending domain via Brevo SMTP. SPF / DKIM / DMARC live in your DNS — we provide setup instructions, you control the records.
- We don't share your account data with third parties for advertising. No ad pixels, no marketing trackers. Analytics via Umami (cookieless).
Email deliverability — SPF / DKIM / DMARC
Outbound sequences ship through Brevo SMTP using your sending domain, not ours. Authentication is your DNS to control:
- SPF — Add Brevo's send servers to your sending domain's SPF record.
- DKIM — Brevo provides DKIM keys to publish in your DNS. Setup instructions in your account dashboard.
- DMARC — We recommend
p=nonereporting at minimum;p=quarantineonce SPF and DKIM are stable.
Brevo's authentication docs: help.brevo.com/.../12163873383186. Because the records live on your domain, MentionFox's reputation cannot pollute yours, and vice versa.
GDPR & Data Processing Agreement
A Data Processing Agreement (DPA) is available on request for Enterprise customers — email saul@ritekit.com with your company name and we'll send the current template.
We are GDPR-aligned in design:
- Subjects of any MentionFox report can request removal — see "Subject removal" below. We delete within 7 days.
- Account holders can export their account data or delete their account from /dashboard/settings.
- We don't claim to be "GDPR certified" — no such certification exists. Compliance is a design property, not a badge.
SOC 2 Type II Not yet
We are not currently SOC 2 Type II certified. We are evaluating audit timelines for Q3 2026. If your procurement requires SOC 2, email saul@ritekit.com with your timeline — we'll let you know if our Q3 estimate fits.
What we have in place today (Type I-equivalent controls): RLS-isolated data per user, service-role-gated edge functions, no shared admin passwords, encrypted-at-rest Postgres, time-limited OAuth tokens, no third-party marketing trackers, audit log on credit-ledger and outbound-message tables.
Sub-processors
MentionFox uses these third-party services to operate. Each has its own privacy / data-handling policy.
SupabasePostgres + auth + storage · Sydney (ap-southeast-2) · policy
VercelFrontend hosting · policy
StripePayment processing · PCI DSS Level 1 · policy
AnthropicClaude / Haiku — research synthesis · Data not used for training · policy
DeepSeekSupplementary LLM for ranking · policy
BrevoSMTP for outbound · You control the sending domain · policy
ResendTransactional email (auth, billing) · policy
SerperGoogle search API · policy
SocialDataX / Twitter public data · site
FirecrawlWeb scraping (public pages only) · policy
HunterEmail pattern lookup · policy
CloudflareCDN + DNS · policy
Subject removal — if you're in a MentionFox report
If you are a subject of a MentionFox report and want it removed:
- Email saul@ritekit.com with the report URL (the one starting with
mentionfox.com/vetting/...). - We delete the report row + cached HTML within 7 days. No questions, no friction.
- Public data we cited remains public — we don't have the power to remove a LinkedIn profile or news article. We only remove our cache of it.
- If a report's existence harms you AND the public data behind it is also wrong, contact the original source (the news site, the LinkedIn owner) separately. MentionFox's deletion doesn't fix upstream errors.
Encryption
- In transit — All data transmitted between your browser and MentionFox is encrypted via TLS 1.2+. We enforce HTTPS on all endpoints with HSTS headers.
- At rest — Data stored in our database is encrypted using AES-256, managed by Supabase / AWS.
- Secrets — API keys, tokens, and credentials are stored in Supabase Vault with additional application-level encryption.
Authentication & access
- Password security — Passwords are hashed via bcrypt with per-user salts. We never store plaintext passwords.
- Session management — Sessions use JWTs with configurable expiry. Stored in browser localStorage and validated on every request.
- Row-level security — Supabase RLS policies ensure users can only access their own data. Every database query is scoped to the authenticated user.
- Service-role isolation — Administrative operations use separate service-role credentials that are never exposed to the client.
Infrastructure
- Database — Supabase (managed PostgreSQL on AWS), Sydney region (ap-southeast-2). Supabase maintains SOC 2 Type II.
- Frontend — Vercel edge network with global CDN distribution, automatic DDoS protection, and SOC 2 Type II.
- DNS & CDN — Cloudflare for DNS management and edge caching with WAF protection.
- Payments — Stripe handles all payment data. PCI DSS Level 1. MentionFox never stores credit card numbers.
Application security
- Input validation — All user inputs are validated and sanitized before processing.
- CORS — Cross-origin requests restricted to authorized domains only.
- Rate limiting — API endpoints rate-limited to prevent abuse.
- Dependency hygiene — Third-party dependencies audited and updated regularly.
Incident response
If a security incident occurs:
- We investigate and contain immediately.
- Affected users notified within 72 hours of confirmation.
- Supervisory authorities notified as required by GDPR and applicable law.
- Post-incident report documents timeline, impact, root cause, remediation.
Responsible disclosure
If you discover a security vulnerability in MentionFox, please email saul@ritekit.com. We aim to acknowledge within 24 hours and patch P0 issues within 7 days. We will not pursue legal action against researchers who report vulnerabilities responsibly. Coordinated disclosure with 30 days advance notice is welcome.
Contact
Security & compliance: saul@ritekit.com
DPA requests: saul@ritekit.com
Subject removal: saul@ritekit.com
Vulnerability reports: saul@ritekit.com
General privacy: see /privacy
DPA requests: saul@ritekit.com
Subject removal: saul@ritekit.com
Vulnerability reports: saul@ritekit.com
General privacy: see /privacy