How we protect your brand

Mayall runs on Vercel + Supabase, both SOC 2 Type II audited. All traffic is TLS 1.3 in transit. Customer data is encrypted at rest using AES-256. Row-Level Security policies in Postgres enforce per-workspace data isolation.

Email + Google OAuth, both via Supabase Auth with PKCE flow. Session cookies are HTTP-only, Secure, SameSite=Lax. Sessions expire after 14 days of inactivity. Workspace owners can enforce SSO and MFA on the Scale plan.

Customer data is accessible only to engineers on the on-call rotation, and only via short-lived, audited service credentials. Production database access requires SSO + MFA + an active incident ticket. No engineer holds long-lived prod credentials.

Customer content sent to Claude and fal.ai is processed under zero-retention agreements — providers do not retain the request body beyond the duration of the call. Generated media is stored in your workspace bucket only.

The PoA you sign for Shield is stored encrypted, with audit logs of every takedown filing that referenced it. You can view, export, or revoke the PoA at any time from /shield/settings.

We commit to notifying affected customers within 72 hours of confirming an incident. Post-incident reviews are shared with affected customers within 14 days.

Found something? Email security@mayall.ai with a proof of concept. We acknowledge within one business day and resolve verified issues within 30 days.