Security

Encryption

• In Transit — All data transmitted between your browser and MentionFox is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints with HSTS headers.
• At Rest — All data stored in our database is encrypted using AES-256 encryption, managed by our infrastructure provider (Supabase/AWS).
• Secrets — API keys, tokens, and sensitive credentials are stored in Supabase Vault with additional application-level encryption.

Authentication and Access

• Password Security — Passwords are hashed using bcrypt with per-user salts. We never store plaintext passwords.
• Session Management — Authentication sessions use JWTs with configurable expiry. Sessions are stored in browser localStorage and validated on every request.
• Row-Level Security — Our database uses Supabase Row-Level Security (RLS) policies to ensure users can only access their own data. Every database query is scoped to the authenticated user.
• Service Role Isolation — Administrative operations use separate service role credentials that are never exposed to the client.

Infrastructure

• Database — Supabase (managed PostgreSQL on AWS), hosted in Tokyo (ap-northeast-1). Supabase maintains SOC 2 Type II certification.
• Frontend — Vercel edge network with global CDN distribution, automatic DDoS protection, and SOC 2 Type II certification.
• DNS and CDN — Cloudflare for DNS management and edge caching with WAF protection.
• Payment Processing — Stripe handles all payment data. Stripe is PCI DSS Level 1 certified. MentionFox never stores credit card numbers.

Application Security

• Input Validation — All user inputs are validated and sanitized before processing to prevent injection attacks.
• CORS Policies — Cross-Origin Resource Sharing is restricted to authorized domains only.
• Rate Limiting — API endpoints are rate-limited to prevent abuse and brute-force attacks.
• Dependency Management — We regularly audit and update third-party dependencies to address known vulnerabilities.

Incident Response

In the event of a security incident:

• We will investigate and contain the incident immediately.
• Affected users will be notified within 72 hours of confirmation.
• Relevant supervisory authorities will be notified as required by GDPR and applicable law.
• A post-incident report will be prepared documenting the timeline, impact, root cause, and remediation steps.

Responsible Disclosure

If you discover a security vulnerability in MentionFox, please report it responsibly by emailing security@mentionfox.com. We will acknowledge receipt within 48 hours and work with you to understand and address the issue. We will not take legal action against researchers who report vulnerabilities responsibly.

Contact