← Back to Mirian AI

Security

Last updated: March 31, 2026

Mirian AI processes sensitive financial data on behalf of mid-market B2B companies. Security is foundational to our platform — not an afterthought. This page describes the technical and organizational measures we employ to protect your data.

1. Encryption

All data is encrypted both at rest and in transit:

  • At rest: 256-bit AES encryption via AWS RDS and S3 server-side encryption
  • In transit: TLS 1.3 enforced on all connections — API, web, database, and inter-service communication
  • Secrets management: All credentials, API keys, and tokens are stored in environment variables, never committed to source control

2. Multi-Tenant Data Isolation

Every row of data in Mirian AI is scoped to a tenant. Tenant isolation is enforced at the database query layer — every query includes a tenant_id filter extracted from the authenticated user's JWT. There is no mechanism for one tenant to access another's data, even through the API.

3. Authentication and Access Control

Authentication

User sessions are managed via JWTs stored in httpOnly, Secure, SameSite cookies. Passwords are hashed with bcrypt. Service-to-service communication uses dedicated API keys with restricted scopes.

Authorization (RBAC)

Role-based access control is enforced via Open Policy Agent (OPA). Policies are version-controlled and evaluated on every request. Roles include Admin, Manager, and Member, each with granular permissions.

4. Infrastructure

  • Cloud provider: Amazon Web Services (us-east-1)
  • Database: AWS RDS PostgreSQL with automated backups, encryption, and private subnet isolation
  • Networking: VPC with public/private subnet separation; database is not publicly accessible
  • Containers: All services run in Docker containers with minimal base images and no root access
  • CI/CD: GitLab CI with automated builds, linting, and deployment gating

5. Audit Logging

All sensitive operations — data access, configuration changes, authentication events, and administrative actions — are logged to an immutable audit trail. Audit logs include the actor, action, resource, timestamp, and tenant context. Logs are retained for a minimum of 12 months.

6. AI and Data Processing

Mirian AI uses large language models (Anthropic Claude) for agentic features including autonomous agents and the Mirian Pulse copilot.

  • No training on your data: Your financial data is never used to train third-party AI models
  • Scoped context: AI agents only receive the minimum data necessary for the specific task
  • Auditable decisions: All agent actions are logged with full reasoning traces
  • Human oversight: Agents operate within configured boundaries; high-risk actions require human approval

7. Vulnerability Management

  • Dependencies are vendored and audited for known vulnerabilities
  • Docker base images are regularly updated
  • OWASP Top 10 protections are applied across the platform
  • Regular penetration testing and security reviews

8. Compliance

  • SOC 2 Type II: Audit in progress
  • GDPR: Data processing agreements and standard contractual clauses available for EU customers
  • Data residency: All data is stored in the United States (AWS us-east-1)

9. Incident Response

We maintain an incident response plan that includes detection, containment, investigation, and notification procedures. In the event of a security incident affecting your data, we will notify affected customers within 72 hours in accordance with applicable regulations.

10. Responsible Disclosure

If you discover a security vulnerability in Mirian AI, please report it to us responsibly. We appreciate your help in keeping our platform safe.

Report a Vulnerability

security@mirianai.com

Please include a detailed description of the vulnerability, steps to reproduce, and any relevant screenshots or logs.