Legal · Security

Security

mopeeai.com Last updated: May 19, 2026 Effective immediately
Table of Contents
  1. Security Overview
  2. Infrastructure & Hosting
  3. Authentication
  4. Data Encryption
  5. Access Controls
  6. Your Responsibilities
  7. Incident Response
  8. Responsible Disclosure
  9. Contact
This page describes the security measures we have in place to protect your data and the mopee service. Security is a shared responsibility — please also review the Your Responsibilities section.

1. Security Overview

Protecting your data and your clients' data is fundamental to mopee. We design the service with security in mind at every layer — from infrastructure and authentication to data access controls. We continuously review and improve our security posture as the product evolves.

mopee relies on industry-leading managed infrastructure providers (Supabase and Vercel) to handle the most security-critical layers, allowing us to leverage their dedicated security teams and compliance certifications.

2. Infrastructure & Hosting

Vercel (Web hosting & edge network)

The mopee application and API are deployed on Vercel, a platform with SOC 2 Type II certification. Vercel's edge network provides DDoS mitigation and TLS termination on every request. All traffic between your browser and Vercel is encrypted in transit using TLS 1.2 or higher.

Supabase (Database & authentication)

Supabase hosts our PostgreSQL database and manages authentication on AWS infrastructure in the us-east-1 (Virginia, USA) region. Supabase is SOC 2 Type II certified. The database is not publicly accessible — all connections are made through Supabase's authenticated API layer, which enforces Row Level Security (RLS) policies on every query.

3. Authentication

User authentication is managed entirely by Supabase Auth, which implements the following protections:

  • Password hashing: Passwords are hashed using bcrypt before storage. We never store plain-text passwords and cannot read your password.
  • Secure session tokens: Sessions are maintained via a secure, HttpOnly cookie that cannot be accessed by JavaScript on the page, reducing the risk of token theft via XSS attacks.
  • Automatic token refresh: Access tokens are short-lived and refreshed automatically, limiting the window of exposure if a token were ever intercepted.
  • Email verification: New accounts require email address verification before gaining full access.

4. Data Encryption

LayerMethod
Data in transitTLS 1.2+ enforced on all connections between your browser, Vercel, and Supabase. HTTP requests are automatically redirected to HTTPS.
Data at restSupabase encrypts all data at rest using AES-256, managed through AWS infrastructure encryption.
PasswordsHashed with bcrypt; never stored in plain text.
Browser local storageData stored in your browser (geocode cache, app settings) is not encrypted. It contains only non-sensitive preference and geocoordinate data — no passwords, payment details, or authentication tokens.

5. Access Controls

Row Level Security (RLS). Every table in the mopee database is protected by Supabase's Row Level Security policies. These policies ensure that authenticated queries can only read or write rows that belong to the authenticated user's account. It is architecturally impossible for one user to access another user's data through the API.

Principle of least privilege. The Supabase anon key (used for public API calls) has no access to authenticated user data. The service-role key (used only in server-side API routes, never exposed to the browser) is restricted to the minimum operations required.

Internal access. mopee team members do not have standing access to production user data. Any access required for debugging or support purposes is logged and time-limited.

6. Your Responsibilities

Security is a shared responsibility. We ask you to:

  • Use a strong, unique password for your mopee account — ideally generated by a password manager.
  • Never share your credentials with anyone, including mopee support staff (we will never ask for your password).
  • Keep your devices secure — ensure your browser and operating system are up to date and that you lock your device when not in use.
  • Log out of shared devices — if you use mopee on a shared or public computer, always sign out when finished.
  • Report suspicious activity — if you notice anything unusual in your account, contact us immediately at contact@mopeeai.com.

7. Incident Response

In the event of a confirmed data breach or security incident that affects your personal data:

  • We will investigate the incident immediately and take steps to contain and remediate it.
  • We will notify affected users by email within 72 hours of becoming aware of the breach, in accordance with GDPR Art. 34 and applicable law.
  • We will notify relevant supervisory authorities (e.g., the EU lead supervisory authority, the FTC) as required by law.
  • We will provide details of the nature of the breach, the data affected, and the steps you can take to protect yourself.

8. Responsible Disclosure

We welcome reports from security researchers and users who discover potential vulnerabilities in the mopee service. If you believe you have found a security issue, please:

  • Email us at contact@mopeeai.com with the subject line "Security Disclosure".
  • Describe the issue clearly, including steps to reproduce it and any potential impact.
  • Give us reasonable time (at least 30 days) to investigate and address the issue before any public disclosure.

We will acknowledge your report within 48 hours and keep you updated as we investigate. We will not take legal action against researchers who follow this responsible disclosure process in good faith.

9. Contact

For security-related enquiries, vulnerability reports, or to report suspicious activity:

  • Email: contact@mopeeai.com
  • Subject line for vulnerability reports: "Security Disclosure"
  • Response time: within 24–48 hours for general enquiries; within 48 hours for security reports