# MANTIS Security Overview

**Version:** 1.1
**Date:** 27 April 2026
**Author:** Navio Maritime OÜ

---

## 1. Infrastructure & Hosting

MANTIS is a cloud-native application with no self-managed servers.

- **Frontend hosting:** Cloudflare Pages (global edge network with EU presence, automatic HTTPS, DDoS protection at network edge)
- **Backend & database:** Supabase, running on AWS eu-central-1 (Frankfurt, Germany)
- **Identity (single sign-on):** Supabase Auth on a dedicated `navio-platform-prod` project, isolated from the application data plane (`mantis-prod`)
- **Backups:** Cloudflare R2 (S3-compatible object storage) in EU region
- **Infrastructure providers:** Cloudflare, Supabase, and AWS all maintain SOC 2 Type II certification
- **No on-premise components:** Nothing to patch, no VPN required, no firewall rules to configure

All infrastructure is managed by providers with dedicated security teams, 24/7 monitoring, and documented incident response processes.

## 2. Data Encryption

- **At rest:** All data stored in Supabase/AWS is encrypted using AES-256
- **In transit:** All connections enforce TLS 1.2 or higher. HSTS headers are set on all responses
- **Credentials:** No plaintext storage of passwords or secrets. API keys are environment variables, never committed to source code
- **Database connections:** Encrypted via SSL between application and PostgreSQL

## 3. Authentication & Access Control

MANTIS uses Supabase Auth, which provides:

- **Password hashing:** bcrypt with per-user salts
- **Session management:** JWT tokens with configurable expiry and automatic refresh
- **MFA/TOTP:** Multi-factor authentication support (time-based one-time passwords)
- **Session timeout:** Automatic logout after period of inactivity
- **Password reset:** Secure email-based reset flow with single-use tokens
- **Rate limiting:** Built-in rate limiting on login attempts to prevent brute-force attacks
- **Role-based access:** Organisation-level roles control what users can view and modify

## 4. Data Isolation (Multi-tenancy)

MANTIS is a multi-tenant application with strict data isolation:

- **PostgreSQL Row Level Security (RLS)** is enabled on every table in the database
- All RLS policies are scoped by organisation membership. A user can only query rows belonging to organisations they are a member of
- There is no shared data between organisations. One customer's vessel data, IHM records, and compliance history are invisible to all other customers
- RLS is enforced at the database level, meaning even application bugs cannot leak data across organisations

## 5. Application Security

- **React framework:** Automatic output encoding prevents cross-site scripting (XSS) by default
- **No dangerouslySetInnerHTML:** The application does not use React's raw HTML injection
- **Input validation:** All user inputs are validated before processing
- **CORS:** Cross-Origin Resource Sharing is configured to allow only the MANTIS application domain
- **Production builds:** Development mode, debug tooling, and source maps are disabled in production
- **Dependency management:** Dependencies are audited and updated regularly

## 6. Backup & Recovery

- **Automated daily backups:** Supabase performs daily backups of the PostgreSQL database, retained for 7 days
- **Off-site backup storage:** Periodic exports replicated to Cloudflare R2 (EU region) for additional durability
- **User-initiated export:** Customers can export their data as XLSX files at any time, providing an independent backup
- **No single point of failure:** Database runs on AWS managed infrastructure with built-in redundancy
- **Point-in-time recovery:** Available as an add-on on the Supabase Pro plan; will be enabled before customers reliant on it can ride it (engaged via the Recovery section of the service agreement)

## 7. Compliance Posture

- **GDPR compliant:** All data is stored in the EU (Frankfurt for application data + identity, EU edge for hosting, EU-region R2 for backups). Data Processing Agreement available on request. Right to erasure is supported. Privacy policy details all data processing activities
- **EU data residency:** No data leaves the EU/EEA. All sub-processors (Supabase, Cloudflare, Brevo, Stripe, Sentry, PostHog, Plausible) process data within EU regions
- **SOC 2:** MANTIS relies on SOC 2 Type II certified infrastructure (Cloudflare, Supabase, AWS). We are working toward our own SOC 2 certification as the product scales
- **PCI DSS:** Payment processing is handled by Stripe (PCI DSS Level 1). MANTIS never stores card numbers or CVVs
- **Audit trail:** All data modifications are logged with timestamps and user attribution

## 8. Incident Response

- **Reporting:** Security issues can be reported to security@mantis-ihm.com
- **Acknowledgment SLA:** All security reports are acknowledged within 24 hours
- **Data breach notification:** In the event of a data breach, affected customers are notified within 72 hours per GDPR Article 33
- **Responsible disclosure:** We welcome responsible security research and will not pursue legal action against good-faith reporters

## 9. Contact

For security questions, vulnerability reports, or to request a Data Processing Agreement:

**Email:** security@mantis-ihm.com
**Privacy:** privacy@mantis-ihm.com
**Web:** mantis-ihm.com