Security, privacy, and how we protect your data

Documents

The full text of our public-facing security and compliance documents:

• Privacy Policy — what data we collect, why, where it's stored, your rights.
• Terms of Service — the contract that governs your use of MANTIS.
• Data Processing Agreement — the GDPR Art. 28 processor agreement covering crew member data and other organisation-controlled data. Signed automatically on upgrade from trial.
• Security Overview — the long-form description of our security posture, structured around NIST CSF 2.0.
• security.txt — RFC 9116 machine-readable security contact.

Sub-processors

The third parties that process customer data on our behalf:

• Supabase — database, authentication, storage. EU (Frankfurt). SOC 2 Type II.
• Cloudflare — application hosting, CDN, DDoS protection, R2 backup storage, DNS. EU edge nodes; R2 EU region. SOC 2 Type II.
• Stripe Payments Europe Ltd — subscription billing, payment processing. EU (Dublin). PCI DSS Level 1 + SOC 2 Type II.
• Brevo (Sendinblue SAS) — transactional email. EU (Paris).
• Sentry GmbH — application error monitoring. EU (Germany). SOC 2 Type II.
• PostHog — product analytics, UUID-only, no email, no cookies (cookieless mode). EU host. SOC 2 Type II.
• Plausible Insights OÜ — privacy-friendly aggregate web analytics. EU (Estonia). Open-source, GDPR-compliant, no cookies.
• Microsoft Clarity — heatmaps + anonymised session replay on the marketing site only. Sets cookies; loaded only with explicit visitor consent (cookie banner + footer "Cookie settings").

Customers are notified at least 30 days in advance of any sub-processor change, with a right to object per the DPA.

Certifications

MANTIS itself does not yet hold an independent SOC 2 or ISO 27001 certification. Pursuing SOC 2 Type II is on our 2027 roadmap. In the interim, we operate on the certifications of our infrastructure providers:

• Supabase, Cloudflare, Stripe, Sentry, PostHog — SOC 2 Type II
• Stripe — PCI DSS Level 1

An independent web-application penetration test is scheduled for Q3 2026. The summary report will be available to enterprise prospects under NDA.

FAQ

Where is my data stored?

Inside the European Union. The primary application database is hosted by Supabase on AWS Frankfurt (eu-central-1). Backups live in Cloudflare R2 with an EU location hint. No customer data crosses outside the EU/EEA.

Can I export my data?

Yes. The application includes export functions (Excel for inventory and certificates, PDF for the survey pack). For a complete machine-readable export of everything in your account, email privacy@mantis-ihm.com — GDPR Art. 20 portability is delivered as a structured JSON archive within 30 days.

What happens to my data if I cancel?

Your account transitions to read-only at the end of the billing period, then is archived for 90 days. During this period you can request reactivation with full data intact. After 90 days, data is permanently deleted (unless you request earlier deletion). Backups age out within 30 days for daily R2 backups and 7 days for Supabase daily backups — after the 90-day archive window, no copy of your data exists in our systems.

Do you have a penetration test report?

An independent test is scheduled for Q3 2026. Until then, our security posture is documented in the Security Overview above. We're happy to discuss specific concerns with prospects under NDA — email security@mantis-ihm.com.

Do you have an Incident Response Plan?

Yes. The plan defines severity levels, roles, detection channels, containment by incident type, customer notification within 48 hours per DPA, and post-incident review with anti-pattern feedback into our standards. Available to enterprise prospects under NDA.

How do you protect against unauthorised access?

Three layers: authentication (email + password with optional MFA), authorisation (PostgreSQL RLS scopes every query to the user's vessel/organisation), and audit (every material action is logged with user, timestamp, and before/after state). Service-role database access is confined to server-side edge functions and never reaches the browser.

What if a sub-processor is breached?

We monitor sub-processor security advisories. If a breach affects MANTIS customer data, we notify customer organisations within 48 hours per the DPA. The Incident Response Plan covers our containment steps; the Data Breach Register records every event to support your GDPR Art. 33 reporting.

Reporting a vulnerability

If you believe you've found a security issue in MANTIS, please email security@mantis-ihm.com. PGP encryption is not required — clear English is more useful.

Please include: a description of the issue, the URL or component affected, steps to reproduce, and the impact you observed. If you can include a proof of concept, that helps us verify and prioritise. Do not include real customer data in your report.

What we commit to

• Acknowledgement within 2 business days of receiving your report.
• Initial triage within 5 business days with a severity assessment and indicative timeline.
• Status updates at least weekly until the issue is resolved.
• Public credit in a security advisory, if you wish, after a fix is shipped.

Critical issues (those that allow unauthenticated access to customer data, account takeover, or remote code execution) are remediated as fast as we can build, test, and deploy a fix — typically within 24–72 hours.

Safe harbour

We support good-faith security research. If you act in good faith and follow this policy, we will not pursue legal action against you. Specifically, we ask that you:

• Test only against your own MANTIS account, not against other customers' data.
• Stop testing and report immediately if you encounter personal data that isn't yours.
• Do not perform denial-of-service testing, social engineering, or physical attacks.
• Do not publicly disclose the vulnerability before we've had a reasonable chance to fix it (we'll agree a disclosure date with you).

Scope

In scope:

• app.mantis-ihm.com — the MANTIS application
• mantis-ihm.com — the marketing site
• Public Supabase Edge Functions invoked by the application

Out of scope: third-party services we depend on (Supabase, Cloudflare, Stripe, Brevo, Sentry, PostHog, Plausible) — please report those directly to the respective vendors. Issues already publicly disclosed and on a published remediation timeline are also out of scope.

How we approach security

The detail customers usually want, in plain English:

• Data residency: All vessel data is stored within the European Union — Supabase on AWS Frankfurt (eu-central-1) for the application database, Cloudflare R2 (EU) for off-site backups.
• Encryption: TLS 1.2+ in transit (HSTS preloaded). AES-256 at rest at the storage layer.
• Authentication: Email + password with bcrypt hashing. Optional multi-factor authentication (TOTP). Session tokens are HTTP-only, SameSite=Lax cookies.
• Authorisation: PostgreSQL row-level security. Every database query is scoped to the authenticated user's vessel and organisation membership at the database layer — not just the application layer.
• Tenant isolation: Vessel data is isolated by RLS policy. The default ("Pool") tier shares a database with strict per-vessel isolation; the Enterprise tier provides a dedicated database per customer.
• Backups: Daily Supabase point-in-time backups (7-day retention) plus Cloudflare R2 off-site copies. Backup restoration is rehearsed on a 90-day cadence.
• Logging: Application errors via Sentry (EU instance, session replays text-masked, media blocked). Application audit log captures security-relevant events (sign-in, role changes, data exports, deletions).
• Privacy-aware analytics: Plausible (no cookies, aggregate only) on the marketing site. PostHog (EU host, UUID-only — never email, no session recording, in-memory persistence) on the app.

For our complete sub-processor register and DPA, see our Privacy Policy or contact privacy@mantis-ihm.com.

Contact

Security: security@mantis-ihm.com
Privacy / DPA: privacy@mantis-ihm.com
Status page: mantis-ihm.com/status
security.txt: /.well-known/security.txt