Security at MRRX

We take security seriously. Your data and your customers' data are protected with industry-leading security practices.

Security Stack:AES-256 Encryption•TLS 1.3•Stripe•Clerk•Neon•Vercel

Stripe Connect OAuth

We never store your Stripe secret keys. We use Stripe Connect with OAuth, meaning you grant us limited, revocable access to your Stripe account. You can disconnect anytime from your Stripe dashboard.

Authentication Security

User authentication is handled by Clerk. Sessions and identity management are secured by Clerk's hardened authentication infrastructure using industry-standard security controls.

Encryption at Rest

All sensitive data, including OAuth tokens, is encrypted at rest using AES-256-GCM encryption. Encryption keys are rotated regularly and stored in secure key management systems.

Encryption in Transit

All data transmitted between your systems and MRRX is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and use HSTS to prevent downgrade attacks.

Infrastructure Security

MRRX runs on Vercel's edge network with automatic DDoS protection. Our database is hosted on Neon with automated backups and point-in-time recovery. Neon maintains SOC 2 Type II compliance for its infrastructure.

Tenant Isolation

Your data is completely isolated from other customers. Every database query is scoped to your tenant ID, and we use row-level security to prevent cross-tenant data access.

Audit Logging

Every action in MRRX is logged with timestamps, actor identification, and request details. Audit logs are retained for compliance and can be exported for your records.

API Key Security

API keys are hashed using SHA-256 before storage. We only store the hash, never the plain key. Keys can be rotated instantly from your dashboard.

Rate Limiting

All API endpoints are rate-limited to prevent abuse. Webhook endpoints use signature verification to ensure requests originate from MRRX.

Compliance & Security Posture

GDPR Ready

MRRX follows GDPR-aligned data handling practices, including data access, deletion, and portability. Data Processing Agreements (DPA) are available upon request.

SOC 2 Controls (Inherited)

MRRX leverages SOC 2 Type II compliant infrastructure providers including Vercel, Neon, and Stripe. We inherit their audited security controls for hosting, networking, and data storage.

PCI DSS Level 1 (via Stripe)

MRRX never stores or processes credit card data. All payments are handled by Stripe, which is PCI DSS Level 1 certified.

Responsible Disclosure

Found a security vulnerability? We appreciate your help in keeping MRRX secure. Please report vulnerabilities to our security team. We commit to acknowledging your report within 24 hours and will keep you updated on our progress.

Report a vulnerability

Questions about security?

We're happy to answer any questions about our security practices or provide additional documentation for your security review.

Contact security team View documentation