No buzzwords, no "military-grade." Just the controls, the certifications, and the people who'd answer if something broke at 3am.
Certifications & attestations
SOC 2 · Type II
Annual audit by Prescient Assurance. Continuous, all five trust criteria.
Renewed Q1 2026ISO 27001:2022
Information security management system. Re-cert audit Sept 2026.
Cert # ISMS-7720GDPR + UK GDPR
SCCs, IDTA, Article 28 DPA on file. DPO contactable.
privacy@sibuor.comPCI DSS · SAQ-A
We never see card numbers — Stripe's iframe handles it end-to-end.
Scope · merchant onlyHow we think about security
Four pillars, in order of how often we make decisions about them:
Least privilege, always
No engineer has standing access to customer messages. Production reads are JIT, approved by a second engineer, logged, and auto-expire in 4 hours.
Encrypt everything, twice
TLS 1.3 in transit. AES-256 at rest. Per-tenant envelope keys via AWS KMS — if we lose one key, only one customer is affected, and we can rotate without re-encrypting the world.
Train no one's model on anyone
Customer data never trains a cross-tenant model. Inference providers are bound to zero-retention contracts. We audit them quarterly.
Boring is best
We chose AWS, Postgres, Stripe, Auth0 because they're audited by people far stricter than us. No clever stack choices in the security path.
Data protections
- In transit: TLS 1.3, HSTS preload, certificate pinning on mobile.
- At rest: AES-256-GCM on RDS, S3, EBS. Per-tenant data keys wrapped by KMS CMKs.
- Field-level: Phone numbers and handles are hashed and indexed; raw values only decrypt at read time, audited.
- Backups: Continuous PITR for 35 days, daily snapshots for 90 days, encrypted, cross-region.
- Deletion: Account-deletion flow wipes within 30 days, including from backups (we run a quarterly purge).
- Residency: EU operators can pin all storage to eu-west-1. US is default us-east-1.
Access controls
- SSO via Google & Microsoft for Studio plan; OTP for everyone else.
- Hardware MFA required for every Mira employee. Yubikey or nothing.
- Role-based access in the dashboard: Owner, Operator, Viewer, Billing-only.
- Quarterly access reviews. We've fired our own access more than once.
Infrastructure & vendors
Mira runs on AWS (us-east-1 + eu-west-1) with multi-AZ Postgres, an isolated VPC per environment, and zero-trust networking between services. We publish our subprocessor list in the DPA — it changes rarely, and never without 30 days' notice.
Our employees use managed laptops with full-disk encryption, MDM, and EDR. We don't allow personal devices to touch production.
Incident response
- Detection: 24/7 on-call rotation, with alerts triaged by an actual human inside 5 minutes.
- Containment: Documented runbooks, tested quarterly via tabletop exercises.
- Customer notice: If your data is involved, you hear from us inside 72 hours, in writing, with what happened and what we did.
- Post-mortem: Public on status.sibuor.com within 7 days, including the timeline and what we changed.
Find a bug, get paid.
Disclose responsibly to security@sibuor.com with PGP if you have it. We pay between $250 and $15,000 depending on severity, and we'll hand-write you a thank-you note either way.