Security

We implement a defense-in-depth security strategy with multiple layers of protection:

• Industry-standard encryption for data in transit and at rest
• Secure authentication with modern protocols
• Automated vulnerability scanning and dependency monitoring
• Strict access controls and security best practices
• Monitoring and alerting provided by our infrastructure providers

In Transit

All communications between your device and our servers are protected using TLS 1.3 encryption. This ensures that your data cannot be intercepted or read by third parties during transmission.

At Rest

All stored data is encrypted using AES-256 encryption. This includes:

• Journal entries and content
• Tracking data (mood, sleep, habits)
• AI conversation history
• Account information
• Database backups

Our infrastructure is hosted on trusted cloud providers with comprehensive security certifications:

• Hosting: Vercel (frontend) and Supabase (database), both with SOC 2 Type II certification
• Data Centers: Geographically distributed with redundancy
• Network Security: Firewalls, DDoS protection, and intrusion detection systems
• Monitoring: Automated monitoring and alerting via infrastructure providers

Security Assessments

• Automated vulnerability scanning of dependencies
• Continuous dependency security monitoring
• Code security reviews as part of development workflow

User Authentication

• Secure password requirements with strength validation
• Password hashing using bcrypt with strong salt
• Session management with secure, HTTP-only cookies
• Automatic session expiration and re-authentication

Internal Access

• Principle of least privilege for all team members
• Multi-factor authentication required for all staff
• Access logging and audit trails
• Regular access reviews and revocation procedures

AI-powered features introduce unique security considerations. Here's how we protect your data during AI processing:

• Data Minimization: We only send necessary context to AI providers, not your entire history
• No Training: Your data is never used to train public AI models
• Secure APIs: All AI provider communications use encrypted connections
• Data Processing Agreements: We have strict DPAs with all AI providers (OpenAI, Anthropic)
• Zero Retention: AI providers are contractually prohibited from retaining your data

For more details about AI transparency, see our AI Transparency page.

We maintain compliance with key privacy and security standards:

• GDPR: Full compliance with EU data protection regulations
• CCPA: Compliance with California Consumer Privacy Act
• SOC 2: Infrastructure providers maintain SOC 2 Type II certification

We have a comprehensive incident response plan that includes:

• Monitoring for security events via infrastructure providers
• Documented escalation procedures
• Breach notification within 72 hours as required by GDPR
• Post-incident analysis and remediation

We value the security research community. If you discover a security vulnerability, please report it responsibly:

• Email security issues to info@mentore-ai.com
• Include detailed steps to reproduce the issue
• Allow reasonable time for us to investigate and fix
• Do not access, modify, or delete other users' data