Security at MiddleVerse
Built to earn a technical yes.
Your business data powers your AI visibility — so we protect it the way your own engineers would expect. Here is exactly what we do, in plain terms.
Authentication
- Passwordless magic-link sign-in by default, plus Google and Apple OAuth.
- Passwords, where used, are hashed with bcrypt (12 salt rounds) — never stored in plain text.
- Session cookies are httpOnly, Secure in production, and SameSite-restricted.
Access Control
- Role-based access control on every privileged route, enforced server-side.
- Tenant isolation: business users can only reach their own business’s records.
- Platform-admin capabilities are separated from business-admin capabilities.
Application Hardening
- CSRF protection on state-changing requests.
- Rate limiting on login, magic-link, and other abuse-prone endpoints.
- Security headers via Helmet, strict CORS allow-list, and automated bot-probe filtering.
Data Protection
- All traffic encrypted in transit with TLS; database connections use SSL.
- Every database query is parameterized — no string-built SQL.
- Secrets and API keys live in managed environment variables, never in code.
Payments
- Card details are handled entirely by Stripe on PCI-compliant hosted pages — MiddleVerse never sees or stores card numbers.
- Every inbound payment webhook is signature-verified before processing.
Infrastructure
- Hosted on Google Cloud with managed TLS, health checks, and automated deploys.
- One production database with schema managed in version control.
- Third-party callbacks (payments, email, calendars) are validated before they touch data.
On our roadmap
We maintain an internal threat model and design against it today. Formal certifications such as SOC 2 are on our roadmap as we grow into larger enterprise engagements — we are building our practices now so certification is an audit, not a rebuild. We do not yet hold formal certifications and will never claim one before it is earned.