Security

• Cloudflare Workers host the production API at the edge.
• Cloudflare Hyperdrive provides Postgres connection pooling.
• Supabase Postgres stores tenants, contacts, interactions, audit logs, and operational tables.
• Upstash Redis and QStash support caching, rate limiting, queues, and background jobs.

Mnemix enforces tenancy in the application layer. Core database queries explicitly filter by tenant_id. Row Level Security is intentionally disabled on core hot-path API tables because pooled postgres.js and Hyperdrive requests do not reliably preserve per-query session variables. App-layer tenant filters are therefore the source of truth for production API access.

• API keys are high-entropy credentials and are stored as SHA-256 hashes.
• Provider credentials are stored as Cloudflare Worker secrets.
• Per-tenant tenant_secret values are generated in the database and used only for audit-log phone HMACs.
• tenant_secret values must never be serialized into responses, webhooks, or logs.

Mnemix audit logs store phone_number_hash, not raw phone numbers. The hash is HMAC-SHA256 over the E.164 phone number using the tenant's tenant_secret. This prevents a shared plain hash from becoming a cross-tenant lookup table.

Operational logs are sanitized to avoid phone numbers, transcripts, summaries, names, enrichment payloads, API keys, webhook secrets, provider tokens, and tenant secrets. Background audit, cache, enrichment, webhook, and dead-letter failures are logged with operational fields such as tenant_id, contact_id, endpoint, status, and error type.

Mnemix does not currently publish a SOC 2 report, HIPAA BAA, or formal compliance certification. These may be part of future enterprise readiness work, but they should not be assumed unless agreed in writing.

To report a security issue, email hello@mnemix.ai with a clear description, affected endpoint or route, reproduction steps, and potential impact. Mnemix does not currently operate a paid bug bounty program.