Mayva
Security

Security

Local mode

Your data lives on your machine. The threat model is the same as your laptop's. If your disk is encrypted (FileVault, LUKS) you're already in good shape.

Hosted plans

  • Transport: TLS 1.3 everywhere. HSTS preloaded.
  • At rest: Postgres encrypted at rest. OAuth tokens encrypted with per-tenant keys derived from a master KMS key.
  • Auth: Argon2id passwords (or SSO via Google Workspace on Teams). Sessions are server-side with one HttpOnly Secure SameSite=Lax cookie.
  • Isolation: every query is scoped by tenant_id and enforced at the database level (RLS).
  • Backups: daily Postgres snapshots, 30-day retention. Tested restore quarterly.
  • Logging: request metadata (path, status, latency, user_id). No request bodies. Retained 14 days.
  • Secrets: managed in Cloudflare and AWS Secrets Manager. Rotated on personnel changes.

Vendor list

  • Cloudflare — marketing site, edge functions, DDoS protection.
  • AWS / DigitalOcean — application servers, Postgres, object storage.
  • Anthropic — LLM inference (Claude Haiku / Sonnet / Opus).
  • Stripe — payments.
  • Resend — transactional email.
  • WHOOP / Google / Gmail / Oura / Garmin — wearable + calendar ingestion (only with your OAuth grant).

Responsible disclosure

Found a vulnerability? Email security@mayva.ai.

  • Give us a reasonable time (90 days by default) before publishing.
  • Don't access data that isn't yours.
  • Don't run automated scanners against production.

We don't currently run a paid bug bounty, but we will publicly credit responsibly-disclosed findings (with your permission) on this page.

Compliance status

We're a small team and don't yet hold SOC 2 / ISO 27001. We follow the practices above and will pursue formal certifications once the Teams plan demands them.