Security at Mimir

Your product data is sensitive. We treat it that way. Every layer of Mimir is built to keep your data encrypted, isolated, and under your control.

Encryption at rest

All content is encrypted with AES-256-GCM before it reaches the database. Field-level — project names, sources, insights, recommendations, chat messages, and business context are each individually encrypted.

Tenant isolation

Every database query is scoped to your account. No API endpoint, URL, or query path can return another user's data. Enforced at the database layer, not just application logic.

Authentication

Google OAuth only — no passwords stored. Sessions are database-backed and revocable. Every API route checks authentication before returning data.

AI data handling

Powered by Anthropic's Claude API. Anthropic does not train on API inputs (privacy policy). Your data is never shared with third parties for model training.

Infrastructure

Vercel SOC 2 Type II hosting. Neon PostgreSQL with connection-level TLS. Parameterized queries only — no raw SQL. All traffic encrypted in transit via HTTPS with HSTS.

Security headers

Content Security Policy, X-Frame-Options DENY, strict transport security, content type sniffing prevention, and restrictive referrer policy on every response. Camera, microphone, and geolocation disabled.

Rate limiting

Per-user and IP-based rate limiting with tiered limits for AI operations, uploads, and standard requests.

No content tracking

Product analytics track feature usage, not your content. We never log or analyze what you put into Mimir.

Your data, your control

Delete any project, source, or conversation at any time. Deletion is permanent — removed from the database, not soft-deleted.

Technical details

EncryptionAES-256-GCM with unique 96-bit IV per operation, authenticated encryption with 128-bit auth tags

Encrypted fieldsProject names, descriptions, summaries, source content, insight titles and summaries, recommendation titles and rationale, chat messages, knowledge entries, and business context

Key management256-bit encryption keys stored as environment variables with support for key rotation

AuthenticationNextAuth v5 with Google OAuth, database-backed sessions, no password storage

DatabaseNeon PostgreSQL with parameterized queries via Prisma ORM, connection-level TLS

HostingVercel (SOC 2 Type II), serverless functions, edge network with automatic TLS

Rate limitingUpstash Redis with sliding window algorithm — 20 req/min for AI, 10 req/min for uploads, 60 req/min standard

AI providerAnthropic Claude API — zero-retention, no training on API inputs

HeadersHSTS, CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy (no camera/mic/geo)

Questions?

If you have questions about how Mimir handles your data, or if you need specific security documentation for your organization, get in touch. We're happy to discuss our security practices in detail.