Vendor security questionnaire

Yes. Enterprise plans support SAML 2.0 SSO with any compliant identity provider (Okta, Azure AD, Google Workspace, OneLogin).

Yes. MFA is available on all plans. Enterprise plans can enforce MFA for all team members via admin policy.

Minimum 12 characters, complexity requirements enforced. Bcrypt hashing with per-user salt. No plaintext storage.

Default session timeout: 24 hours. Enterprise plans can configure custom timeouts (30 minutes to 7 days).

Yes. Four roles: Admin (full access), Manager (assigned brands), Creator (generate and edit), Viewer (read-only). Enterprise plans support custom role definitions.

Manual provisioning via admin dashboard. SCIM provisioning available on Enterprise plans. Deprovisioned users lose access immediately. Data retained per retention policy.

Yes, via SAML SSO. New users authenticated via SSO are auto-provisioned with a default role set by the admin.

API keys are generated per-user via the dashboard. Keys can be rotated, revoked, and scoped to specific brands. All API calls are authenticated via Bearer token.

Yes. All login attempts, password changes, MFA events, and API key usage are logged with timestamps, IP addresses, and user agents. Logs retained for 90 days.

Account lockout after 10 consecutive failed attempts. Lockout duration: 15 minutes. Admins are notified of lockout events.

Enterprise plans support IP allowlisting for dashboard access and API calls.

Admin role is assigned by account owner. Multiple admins supported. Admin actions are audit-logged. No shared admin accounts.

AES-256-GCM encryption for all data at rest. Database: PostgreSQL with encrypted storage. Backups: AES-256 encrypted. File storage: server-side encryption.

TLS 1.3 for all connections. HTTP requests redirected to HTTPS. HSTS headers enforced. Certificate transparency logged.

Encryption keys are managed by our infrastructure provider (Railway/AWS). Key rotation is automatic. We do not have access to encryption keys at rest.

Logical segregation at the database level. Each customer's data is isolated by account ID in every query. No shared data between accounts.

Active accounts: data retained while subscription is active. Cancelled accounts: data retained for 30 days, then permanently deleted. Backups: retained for 14 days.

Data deletion requests are processed within 7 business days. Deletion is permanent and irreversible. Confirmation sent to account owner. Backups are purged within 14 days of deletion.

No. All payment processing is handled by Stripe (PCI-DSS Level 1). We never store, process, or transmit card data. Stripe tokens only.

No. Customer Brand DNA, generated content, and usage data are never used to train AI models. Your data is exclusively yours.

US East (Virginia) by default. EU West (Frankfurt) available for EU customers on Enterprise plans. Data residency options configurable per account.

Automated daily backups with point-in-time recovery. Backups encrypted with AES-256. Retention: 14 days. Backups stored in a separate availability zone.

Yes. Full data export (Brand DNA, generation history, approved ads, campaigns) available in JSON and ZIP format from Settings > Export.

Development and staging environments use synthetic data only. No production customer data is used in testing.

Yes. Data classified as: Public (marketing content), Internal (operational data), Confidential (customer Brand DNA, generated content), Restricted (credentials, API keys).

Uploaded files (product images, brand assets) are stored in encrypted object storage. Files are scanned for malware on upload. Access restricted to the owning account.

Not currently. Planned for Enterprise plans in 2027. Encryption keys are currently managed by our infrastructure provider.

Trunk-based development on main branch. All code reviewed before merge. Automated type checking and linting on every commit. Staging environment for pre-production validation.

Yes. All code changes are reviewed before merging to main. Automated checks run on every commit (TypeScript type checking, Biome linting).

Dependencies managed via bun lockfile. Automated vulnerability scanning via GitHub Dependabot. Critical vulnerabilities patched within 48 hours.

Annual penetration testing planned. First test scheduled for Q4 2026 alongside SOC 2 Type II audit.

Responsible disclosure policy at security@maniai.com. Acknowledged within 48 hours. Critical vulnerabilities patched within 72 hours.

Yes. Cloudflare WAF with managed rulesets. Bot management. Rate limiting. DDoS protection included.

All user inputs validated server-side using Zod schemas. Client-side validation as UX convenience only. SQL injection prevented via parameterized queries (Drizzle ORM).

Not currently. Planned for 2027. Security issues can be reported to security@maniai.com.

Environment variables stored in Railway's encrypted variable store. No secrets in source code. .env files excluded from version control.

Docker images built from minimal base images. No root processes in containers. Image scanning planned as part of SOC 2 compliance.

Backend: Node.js (Fastify). Frontend: React + Astro. Database: PostgreSQL via Drizzle ORM. Queue: BullMQ + Redis. All TypeScript.

Yes. All outbound webhooks are signed with HMAC SHA-256. Verification library available in our JavaScript and Python SDKs.

Cloudflare provides DDoS protection, WAF, and CDN. Railway provides network isolation between services. No public-facing database ports.

Cloudflare's threat intelligence provides real-time threat detection. Railway monitors for anomalous traffic patterns. Application-level monitoring via Sentry.

Internal services communicate via private networking. Database accessible only from application services. Redis accessible only from worker services. No public database endpoints.

Not applicable. All access is via HTTPS API and web dashboard. No VPN required or supported.

Cloudflare provides automatic DDoS mitigation. Volumetric attacks absorbed at the edge. Application-layer attacks filtered by WAF rules.

Application-level rate limiting prevents bulk data export. API rate limits enforced per tier. Anomalous access patterns trigger alerts.

Service-to-service communication uses internal network only (no public routing). Database connections use encrypted credentials rotated automatically.

Yes. All internal communication uses TLS. Database connections encrypted. Redis connections encrypted. No plaintext internal traffic.

In progress. Target completion: Q3 2026. Controls for security, availability, and confidentiality are implemented. Report will be available to Enterprise customers upon completion.

Planned for 2027. Currently aligning controls with ISO 27001 Annex A as part of SOC 2 preparation.

Yes. Data processing agreements available. Right to access, delete, and port. Consent management. DPO contact: privacy@maniai.com. 72-hour breach notification.

Yes. Right to know, delete, and opt out. We do not sell personal information. Non-discrimination policy.

Yes. Consent-based data collection. Purpose limitation. Individual access rights for Canadian users.

No. Mani is not designed for healthcare data. We do not sign BAAs. If you process PHI, mani is not the right tool.

Yes. Enterprise plans can configure data residency (US East or EU West). Data does not leave the selected region.

Legal counsel reviews regulatory changes quarterly. Policy updates published within 30 days of material changes. Customers notified via email.

Yes. Standard DPA available on request. Custom DPAs available for Enterprise plans.

Yes. Privacy impact assessments conducted before launching new features that process personal data. Results reviewed by DPO.

Yes. Documented IR plan covering identification, containment, eradication, recovery, and post-mortem. Plan tested annually.

72 hours for GDPR-covered incidents. 30 days for CCPA-covered incidents. Enterprise customers: per SLA (typically 24-48 hours).

P1 (critical: data breach, service down), P2 (high: partial outage, vulnerability exploited), P3 (medium: potential vulnerability, degraded performance), P4 (low: informational).

Founder is the incident commander for P1/P2. Engineering lead for P3/P4. External security consultants engaged for P1 incidents.

Yes. Blameless post-mortems within 5 business days of P1/P2 incidents. Root cause analysis, timeline, and preventive measures documented.

Status page updated in real-time. Email notification for P1/P2 incidents affecting customer data or availability. Enterprise: per SLA notification channel.

Planned for Q4 2026 alongside SOC 2 completion.

Responsible disclosure via security@maniai.com. Acknowledged within 48 hours. Updates provided during remediation. Credit given upon resolution.

RTO: 4 hours for full service restoration. Railway's managed infrastructure enables rapid failover.

RPO: 1 hour. Point-in-time database recovery with 1-hour granularity. Daily full backups.

Yes. DR plan covers: database failover, service redeployment, DNS failover, and communication plan. Tested semi-annually.

Automated daily backups stored in a separate availability zone. Encrypted with AES-256. Retention: 14 days. Backup restoration tested quarterly.

Target: 99.9%. Historical uptime tracked at status.maniai.com. Infrastructure managed by Railway with automatic scaling and health checks.

Critical vendor assessment conducted annually. Vendor list published (see Sub-processors). Alternative vendors identified for each critical dependency.

Railway (hosting, US/EU), Stripe (payments, US), Klaviyo (email marketing, US), Cloudflare (CDN/security, global), FairStack (image generation, US), Anthropic (AI generation, US), PostHog (analytics, EU), Sentry (error monitoring, US), Resend (transactional email, US).

Sub-processors are assessed for SOC 2 or equivalent certification, data handling practices, and incident response capability before onboarding.

Yes. 30-day advance notice for material sub-processor changes. Enterprise customers can object to new sub-processors per DPA terms.

Railway: US East (Virginia) or EU West (Frankfurt). Stripe: US. Klaviyo: US. Cloudflare: edge (global, cached only). PostHog: EU. Others: US.

FairStack and Anthropic process customer Brand DNA and generation prompts to produce creative output. No sub-processor retains customer data beyond the processing session.

Currently a solo-founder operation. Background checks will be conducted for all employees with access to customer data as the team grows.

Security awareness training conducted at onboarding and annually. Covers: phishing, social engineering, data handling, incident reporting.

All access (code repositories, infrastructure, customer data, communication tools) revoked within 24 hours of separation. Credentials rotated.

Yes. Acceptable use policy covers: data handling, device security, remote work, and use of company systems. Acknowledged at onboarding.

Contractors receive minimum-necessary access scoped to specific tasks. Access revoked upon contract completion. No persistent contractor access.