Legal / Compliance

Security Overview

Version 1.0 Last updated: March 24, 2026

Security is foundational to everything we build at Mataki. Our customers trust us with their data and their users’ data. This page describes how we protect that trust.

Certifications and Compliance

FrameworkStatusDetails
SOC 2 Type IIPlannedTimeline to be announced.
GDPRCompliantData Processing Addendum available. Standard Contractual Clauses supported. EU representative appointed.
CCPA/CPRACompliantService provider obligations met. No sale or sharing of personal information.
NZ Privacy Act 2020CompliantObligations under the Information Privacy Principles supported.
ISO 27001PlannedTimeline to be announced.

Infrastructure Security

Hosting

All production services are hosted on Google Cloud Platform (GCP) in SOC 2-certified data centers. Primary region: us-central1. Additional regions are available for customers with data residency requirements.

Network

  • All external communications are encrypted in transit using TLS 1.2 or higher. TLS 1.0 and 1.1 are not supported.
  • Production networks are segmented from development, staging, and corporate environments.
  • Firewall rules restrict traffic to authorized protocols and endpoints using a default-deny posture.
  • Intrusion detection and prevention systems (IDS/IPS) monitor network traffic continuously.

Compute

  • Production workloads run in isolated containers on managed orchestration platforms.
  • Containers are built from minimal base images, scanned for vulnerabilities, and signed.
  • No direct SSH access to production systems. All administrative actions are performed through audited control planes.

Data Security

Encryption

  • At rest: All data is encrypted at rest using AES-256 encryption. This includes production databases, object storage, backups, and log archives.
  • In transit: All data is encrypted in transit using TLS 1.2+ between all parties: client-to-service, service-to-service, and service-to-storage.
  • Key management: Encryption keys are managed through Google Cloud KMS with automatic rotation. Mataki employees do not have access to raw encryption keys.

Data Isolation

  • Customer data is logically isolated in multi-tenant environments using tenant-scoped access controls.
  • Cross-tenant data access is architecturally prevented at the application layer.
  • Production data is never used in development or testing environments.

Data Retention

  • Customer Data is retained for the duration of the subscription and for thirty (30) days after termination to allow for export.
  • Backups are retained for a maximum of ninety (90) days and are encrypted at rest.
  • Deletion requests are processed within thirty (30) days of written request.

Application Security

Secure Development

  • All code is subject to mandatory peer review before merging to production branches.
  • Static analysis (SAST) is integrated into the CI/CD pipeline and runs on every pull request.
  • Dependency scanning identifies known vulnerabilities in third-party packages. Critical vulnerabilities are patched within 24 hours; high within 7 days.
  • Secret scanning prevents credentials, API keys, and tokens from being committed to version control.

Vulnerability Management

  • Penetration testing is conducted at least annually by a qualified third-party firm. Results and remediation are documented.
  • Vulnerability scanning of production systems runs continuously.
  • Bug bounty / Responsible disclosure: See our SECURITY.md for reporting procedures.

Authentication and Authorization

  • Multi-factor authentication (MFA) is available for all customer accounts and required for all Mataki employee access to production systems.
  • Role-based access control (RBAC) governs access to all resources within the Services.
  • API authentication uses bearer tokens (API keys) with per-key scoping and revocation.
  • Passwords are hashed using bcrypt with appropriate cost factor. Plaintext passwords are never stored or logged.

Operational Security

Access Controls

  • Production system access is restricted to authorized personnel using named, individual accounts with MFA. No shared credentials.
  • Access is granted on a least-privilege basis and reviewed quarterly.
  • Access is revoked within 24 hours of personnel departure or role change.
  • All administrative actions on production systems are logged and auditable.

Incident Response

  • A documented incident response plan is maintained, tested, and updated at least annually.
  • An on-call incident response team is available 24/7 with defined escalation procedures.
  • Security Incidents affecting customer data are reported within 72 hours in accordance with the Data Processing Addendum.
  • Post-incident reviews are conducted for all significant incidents, with root cause analysis and preventive measures documented.

Business Continuity

  • Production data is replicated across multiple availability zones within each region.
  • Automated backups run daily with point-in-time recovery capability.
  • Disaster recovery procedures are documented and tested at least annually.
  • Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour.

Personnel Security

  • Background checks are conducted on all personnel with access to production systems or customer data, to the extent permitted by applicable law.
  • All personnel complete security awareness training upon onboarding and at least annually thereafter.
  • All personnel are bound by confidentiality obligations through employment or contractor agreements.
  • Separation of duties is enforced for critical operations (e.g., code deployment requires review by a person other than the author).

Vendor Management

  • Third-party vendors and sub-processors with access to customer data undergo a security assessment before engagement and periodically thereafter.
  • Vendor contracts include data protection obligations consistent with our Data Processing Addendum.
  • The current list of sub-processors is published at mataki.dev/legal/sub-processors.

Responsible Disclosure

If you discover a security vulnerability in any Mataki service, please report it responsibly:

  • Email: security@mataki.dev
  • GitHub: See SECURITY.md in any Mataki repository
  • Do not disclose vulnerabilities publicly until we have had an opportunity to investigate and remediate.
  • We acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days.
  • We do not pursue legal action against researchers who act in good faith.

Requesting Security Documentation

Enterprise customers may request:

  • SOC 2 Type II report (under NDA)
  • Penetration test executive summary (under NDA)
  • Completed security questionnaires (SIG, CAIQ, or custom)
  • Data Processing Addendum

Contact security@mataki.dev or your account representative.

Sub-Processor List