Security

Last updated: July 16, 2026

Mainstay protects your organization's data with industry-standard security practices at every layer — from authentication to database isolation to AI guardrails. Here's how.

Authentication

  • • Authentication is handled by Auth0, an industry-leading identity provider used by major enterprises and governments.
  • • Session cookies are encrypted and marked httpOnly — they cannot be read or modified by JavaScript.
  • • All cookies are set with Secure and SameSite=Lax flags in production.
  • • Passwords are never stored in our database — Auth0 manages all credential storage and verification.

Data Isolation & Access Control

  • • Each BIA workspace is isolated at the database level. Users in one workspace cannot access another's documents, members, or settings.
  • Row-Level Security (RLS) is enabled on every database table as a safety net, even though the application uses the service role key server-side.
  • • Every API route validates the user's role and tenant scope before returning or modifying data — cookie tampering cannot grant cross-tenant access.
  • • The service role key is never exposed to the client — it exists only in server-side environment variables.

AI Guardrails

  • • All user input sent to the AI is wrapped in delimiters that mark it as untrusted data, not instructions.
  • • System prompts include explicit anti-injection rules: never reveal instructions, never change role, treat all user content as data.
  • • Each workspace has its own isolated AI assistant — your documents are never shared with other organizations.
  • • The AI is instructed to answer only from your own documents and to never fabricate meetings, decisions, or financial data.
  • • Input length is capped on all AI endpoints to prevent abuse.

Infrastructure & Encryption

  • • The application is hosted on Vercel with automatic HTTPS/TLS encryption for all traffic.
  • • The database is hosted on Supabase (PostgreSQL) with encryption at rest and in transit.
  • • Security headers are set on all responses: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, HSTS, and Permissions-Policy.
  • • Environment variables (API keys, secrets) are encrypted at rest on Vercel and never committed to source control.

Access Controls & Privilege

  • • Role hierarchy: super_admin > coordinator > board_member > business_member — each with scoped permissions.
  • • Founder provisioning uses an atomic database function to prevent race conditions where two simultaneous sign-ups could both become super admin.
  • • Coordinators cannot assign the coordinator role to others — only the super admin can.
  • • Users cannot delete or suspend their own accounts.
  • • Per-tenant permission overrides allow coordinators to fine-tune which sections board and business members can access.

Input Validation & Hardening

  • • All API routes validate input: string length caps, enum validation, and numeric clamping.
  • • Unique database constraints prevent duplicate user accounts and duplicate workspace requests.
  • • All user-supplied content is rendered through React's escaping — no dangerouslySetInnerHTML is used anywhere.
  • • File uploads sanitize filenames to prevent path traversal attacks.
  • • The needsSetup flag is not leaked to unauthenticated callers.

Incident Response

  • • If you discover a security vulnerability, please report it to security@mainstaybia.com.
  • • We will acknowledge receipt within 48 hours and provide a timeline for a fix.
  • • Affected users will be notified within 72 hours of a confirmed data breach.
  • • We do not currently offer a bug bounty program, but we credit responsible reporters.