Security at Mantyl
How we protect your data and ensure platform integrity.
Encryption
In transit: All data is encrypted using TLS 1.2+ between your browser and our servers.
At rest: Data is encrypted using AES-256 encryption on our database infrastructure (Supabase).
Credentials: Integration API keys are stored with database-level encryption and are never exposed in API responses.
Authentication & Access Control
Authentication is handled by Supabase Auth with support for magic links and Google OAuth.
All API endpoints are protected by default-deny middleware. Row Level Security (RLS) is enforced on every database table, ensuring users can only access their own data.
Sessions include a 1-hour idle timeout with a 5-minute warning before automatic sign-out.
AI Data Processing
Alma uses multiple AI providers (Anthropic, OpenAI, Mistral AI, Google Gemini, Groq) to power its agent capabilities. Your chat messages and project context are sent to the selected AI provider for processing.
AI model selection is automatic based on task complexity but can be configured per project. All AI interactions include prompt injection defenses and output validation.
We do not use your data to train AI models. Refer to each provider's data processing terms for their retention policies.
Infrastructure
Hosting: Vercel (edge network with global CDN)
Database: Supabase (managed PostgreSQL with automatic backups)
Region: United States (primary)
All infrastructure providers maintain SOC 2 Type II compliance.
Security Headers & Protections
All responses include security headers: Content-Security-Policy, Strict-Transport-Security (HSTS), X-Frame-Options (DENY), X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
API endpoints are rate-limited per user with tiered limits based on endpoint sensitivity (20 RPM for AI calls, 60 RPM for standard CRUD).
All API inputs are validated and sanitized. File exports enforce size limits and filename sanitization.
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly to security@mantyl.ai.
We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days.
See our security.txt for additional details.