Security

How MIR protects your data and platform integrity

Last updated: December 2025

MIR is designed as privacy-first, abuse-resistant participation history infrastructure. Security is foundational to the platform—not an add-on.

Data Protection

All data encrypted in transit (TLS/HTTPS only) and at rest (disk-level encryption)
Credentials and API keys are cryptographically hashed, never stored in plaintext
We store only the minimum data required for continuity signals
Events carry no free-form metadata by design. Partners cannot accidentally store PII, credentials, or sensitive data in event payloads because the field does not exist. There is nothing to exfiltrate because there is nothing to store
MIR does not label or rank users — history tiers reflect activity volume, not trustworthiness

Personally Identifiable Information

MIR stores exactly one piece of PII: an email address. This is a deliberate architectural constraint, not a policy preference. No names, profile data, or identity attributes are stored. Participation history is recorded independently of identity and cannot be reverse-engineered into platform activity or personal behavior.

Authentication

Passwordless authentication with short-lived, single-use login links (10-minute expiry)
Device fingerprint binding: each magic link is bound to the device that requested it. If a link is opened on a different device, the login is rejected and the token is consumed so it cannot be retried
Secure, HTTP-only cookies with same-site enforcement
Automatic session expiration and rotation
Nonce-bound login links prevent cross-browser session hijacking
WebAuthn passkeys supported for users who want hardware-key-level security
Failed interception attempts are recorded as security events against the targeted identity. The system blocks the attack and remembers it happened, informing future authorization decisions

Infrastructure

Hosted on isolated VPC networking with private databases
Inbound access restricted via firewall allowlists
Rate limiting and connection caps prevent abuse
Production, staging, and development environments fully isolated

Partner API Security

Partner integrations authenticate via hashed API keys over TLS
Credentials scoped to specific organizations with tier-based access controls
Rate-limited and quota-controlled access
Credentials revocable at any time

Transparency & Auditability

All partner queries are logged and auditable. Users can view which platforms queried their MIR history and when. We believe security should come with transparency, not opacity.

Incident Preparedness

Partner credentials can be rotated or revoked immediately
Per-endpoint rate limits with tier-based thresholds
Structured audit logging of all API access and authentication events
Automated backups and recovery procedures in place

Questions about security?

We're happy to discuss our security practices in more detail.