All legal documents

Legal

Security Policy

Effective date: April 19, 2026

How Mora protects Customer data — including encryption, access controls, monitoring, incident response, and responsible disclosure.

This Security Policy summarizes the technical and organizational measures Respired.io, Corp. doing business as Mora uses to protect the confidentiality, integrity, and availability of Customer data.

This document is intended for security and compliance teams. It is updated as our security posture evolves; the effective date above marks the most recent revision.

1. Infrastructure

  • Hosting: Mora runs on Vercel (app and marketing site) and Supabase (Postgres database, authentication, file storage). Both providers operate in SOC 2 Type II audited data centers (US AWS regions for Supabase by default).
  • Network: All Customer traffic is served over HTTPS. Internal service-to-service traffic uses TLS or operates within isolated cloud networks managed by our providers.
  • Tenant isolation: Customer data is logically isolated by row-level security (RLS) policies in Postgres and by per-Customer scoping at the application layer.

2. Encryption

  • In transit: All public traffic uses TLS 1.2+ with modern cipher suites. HSTS is enforced.
  • At rest: Customer data stored in Supabase Postgres is encrypted at rest with AES-256 using cloud-provider managed keys. File uploads in Supabase Storage are encrypted at rest with the same standard.
  • Backups: Database backups are encrypted at rest and retained according to provider defaults (typically 7–30 days, with point-in-time recovery available within retention window).

3. Access controls

  • Production access is restricted to a small set of named engineers, gated by SSO + multi-factor authentication.
  • Least privilege: Roles are granted on a need-to-know basis and reviewed periodically.
  • Customer authentication: Mora uses Supabase Auth with hashed-and-salted passwords (Bcrypt-class), Google OAuth, and email-link sign-in. Customers can enable additional protections from within their account settings as we ship them.
  • Session management: Sessions use short-lived access tokens with rotating refresh tokens.

4. Application security

  • Code review: All production-bound code changes are reviewed by another engineer or by automated review tools before merge.
  • Dependency management: We track upstream security advisories and apply patches on a regular cadence. High-severity advisories are triaged within 72 hours.
  • Secrets management: Secrets are stored in Vercel and Supabase secret stores; they are never committed to source control. Detection tooling alerts on accidental commits.
  • Input validation: User input is validated at the application layer; database access uses parameterized queries to prevent SQL injection.
  • Output encoding: Frontend rendering uses React's automatic escaping; we avoid dangerouslySetInnerHTML except for vetted JSON-LD payloads.
  • Content Security Policy: A strict CSP is enforced on app responses (see app response headers for the current policy).
  • Rate limiting: Authentication endpoints and high-cost API operations are rate-limited at the platform layer.

5. AI-specific safeguards

When Customer data is sent to AI providers (Anthropic, OpenAI, Google) for content generation:

  • We use the API tier of each provider, which is contractually subject to zero data retention for training purposes.
  • Inputs are minimized to what the model needs for the requested task.
  • Provider-side policies are reviewed when adding a new model or provider.

6. Monitoring and logging

  • Application logs capture request metadata (timestamps, route, status) without sensitive payloads.
  • Error monitoring via Sentry with PII scrubbing enabled.
  • Synthetic monitoring of public endpoints and key user flows.
  • Logs are retained per provider defaults (typically 30–90 days).

7. Incident response

We maintain documented incident response procedures covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a confirmed Personal Data Breach affecting Customer Data, we will notify affected Customers within 72 hours of becoming aware, in accordance with our Data Processing Agreement.

8. Business continuity

  • Database point-in-time recovery is enabled within the provider retention window.
  • Critical configuration is recorded as code (Infrastructure-as-Code where applicable) so the production environment can be redeployed.
  • We maintain an internal runbook for credential rotation and provider-incident response.

9. Personnel

  • All employees and contractors with access to production systems are required to complete security and data-protection training as part of onboarding.
  • Personnel access is revoked promptly upon role change or termination.
  • Confidentiality obligations are included in employment and contractor agreements.

10. Subprocessors

Subprocessors that may process Personal Data on Customer's behalf are listed in Annex III of the Data Processing Agreement.

11. Compliance posture

Mora is designed to support Customer compliance with GDPR, UK GDPR, CCPA / CPRA, VCDPA, CPA, CTDPA, and UCPA. Mora itself is not currently SOC 2 certified; we rely on the SOC 2 / ISO 27001 audited posture of our underlying providers (Vercel, Supabase, Stripe, Sentry, Anthropic, OpenAI, Google) and apply the controls described above on top of that foundation.

If you are evaluating Mora for use in a regulated environment and need additional documentation, contact us at hello@mora-marketer.com.

12. Responsible disclosure

We welcome reports of security vulnerabilities. If you believe you have discovered a vulnerability in Mora, please email hello@mora-marketer.com with:

  • A description of the vulnerability
  • Steps to reproduce
  • The potential impact
  • Your name and contact information (for credit, if you wish)

We commit to:

  • Acknowledging receipt within 5 business days
  • Providing an initial assessment within 10 business days
  • Working with you on a coordinated disclosure timeline
  • Crediting you publicly (with your permission) once the issue is remediated

Please do not:

  • Test against accounts you do not own
  • Run automated scans that disrupt other users
  • Publicly disclose the vulnerability before we have had a reasonable opportunity to address it

We do not currently operate a bug-bounty program with monetary rewards, but we will publicly thank researchers who disclose responsibly.

13. Contact

Security inquiries and disclosure reports: hello@mora-marketer.com with "Security" in the subject line.