Security at MiddleVerse

Built to earn a technical yes.

Your business data powers your AI visibility — so we protect it the way your own engineers would expect. Here is exactly what we do, in plain terms.

Authentication

  • Passwordless magic-link sign-in by default, plus Google and Apple OAuth.
  • Passwords, where used, are hashed with bcrypt (12 salt rounds) — never stored in plain text.
  • Session cookies are httpOnly, Secure in production, and SameSite-restricted.

Access Control

  • Role-based access control on every privileged route, enforced server-side.
  • Tenant isolation: business users can only reach their own business’s records.
  • Platform-admin capabilities are separated from business-admin capabilities.

Application Hardening

  • CSRF protection on state-changing requests.
  • Rate limiting on login, magic-link, and other abuse-prone endpoints.
  • Security headers via Helmet, strict CORS allow-list, and automated bot-probe filtering.

Data Protection

  • All traffic encrypted in transit with TLS; database connections use SSL.
  • Every database query is parameterized — no string-built SQL.
  • Secrets and API keys live in managed environment variables, never in code.

Payments

  • Card details are handled entirely by Stripe on PCI-compliant hosted pages — MiddleVerse never sees or stores card numbers.
  • Every inbound payment webhook is signature-verified before processing.

Infrastructure

  • Hosted on Google Cloud with managed TLS, health checks, and automated deploys.
  • One production database with schema managed in version control.
  • Third-party callbacks (payments, email, calendars) are validated before they touch data.

On our roadmap

We maintain an internal threat model and design against it today. Formal certifications such as SOC 2 are on our roadmap as we grow into larger enterprise engagements — we are building our practices now so certification is an audit, not a rebuild. We do not yet hold formal certifications and will never claim one before it is earned.

Questions from your security team?

We are happy to walk your technical reviewers through our architecture, data handling, and integration surface.