Security is a top priority at Mav and we understand how important your data is to you and those who depend on you. Mav has been entrusted with a significant variety and amount of sensitive application and user data. We do not take our responsibility lightly; we work diligently to continuously improve security processes and controls.
Any security concerns or vulnerabilities discovered in one of Mav's products or hosted services can be responsibly disclosed by emailing [email protected].
While we greatly appreciate community reports regarding security issues, at this time Mav does not provide compensation for vulnerability reports.
Our servers are located in Amazon AWS's Virginia (US) datacenter. All data is written to multiple disks instantly, backed up daily, and stored in multiple availability zones. Files that our customers upload are stored on servers that use modern techniques to remove bottlenecks and points of failure. Our software infrastructure is updated regularly with the latest security patches.
Over public networks we send data using strong encryption. We use SSL certificates issued by Cloudflare. You can check our currently supported ciphers here.
Encryption-at-rest of our database is acheived using AWS’s transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by AWS. Backups are stored on Amazon S3 and encryption is performed via server-side encryption.
Files uploaded to Mav are stored in private S3 buckets that require a one-time use, time-limited tokens for access.
Our application and data servers are located in AWS's Virginia datacenter. More information about their controls, including physical security, can be found here.
All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data. Background checks aren’t performed on our workers. Everybody at Mav is trained and made aware of security concerns and best practices for their systems. Remote access to production systems is limited to workers who need access for their day to day work. We log all access to all accounts by IP address.
Employee and contractor computers (including desktop computers) are required to have and maintain full hard drive encryption. Additionally, laptop computers are required to use a VPN service when using the device outside of their home.
All payments are handled by Stripe. Your payment information is sent directly to Stripe and never stored on our servers. In fact, all payment requests bypass our servers completely ensuring sensitive payment information also does not appear in our logs.
For more information about Stripe's security controls, you can visit their security page.