Security
Last updated: July 16, 2026
Mainstay protects your organization's data with industry-standard security practices at every layer — from authentication to database isolation to AI guardrails. Here's how.
Authentication
- • Authentication is handled by Auth0, an industry-leading identity provider used by major enterprises and governments.
- • Session cookies are encrypted and marked
httpOnly— they cannot be read or modified by JavaScript. - • All cookies are set with
SecureandSameSite=Laxflags in production. - • Passwords are never stored in our database — Auth0 manages all credential storage and verification.
Data Isolation & Access Control
- • Each BIA workspace is isolated at the database level. Users in one workspace cannot access another's documents, members, or settings.
- • Row-Level Security (RLS) is enabled on every database table as a safety net, even though the application uses the service role key server-side.
- • Every API route validates the user's role and tenant scope before returning or modifying data — cookie tampering cannot grant cross-tenant access.
- • The service role key is never exposed to the client — it exists only in server-side environment variables.
AI Guardrails
- • All user input sent to the AI is wrapped in delimiters that mark it as untrusted data, not instructions.
- • System prompts include explicit anti-injection rules: never reveal instructions, never change role, treat all user content as data.
- • Each workspace has its own isolated AI assistant — your documents are never shared with other organizations.
- • The AI is instructed to answer only from your own documents and to never fabricate meetings, decisions, or financial data.
- • Input length is capped on all AI endpoints to prevent abuse.
Infrastructure & Encryption
- • The application is hosted on Vercel with automatic HTTPS/TLS encryption for all traffic.
- • The database is hosted on Supabase (PostgreSQL) with encryption at rest and in transit.
- • Security headers are set on all responses:
X-Frame-Options,X-Content-Type-Options,Referrer-Policy,HSTS, andPermissions-Policy. - • Environment variables (API keys, secrets) are encrypted at rest on Vercel and never committed to source control.
Access Controls & Privilege
- • Role hierarchy: super_admin > coordinator > board_member > business_member — each with scoped permissions.
- • Founder provisioning uses an atomic database function to prevent race conditions where two simultaneous sign-ups could both become super admin.
- • Coordinators cannot assign the coordinator role to others — only the super admin can.
- • Users cannot delete or suspend their own accounts.
- • Per-tenant permission overrides allow coordinators to fine-tune which sections board and business members can access.
Input Validation & Hardening
- • All API routes validate input: string length caps, enum validation, and numeric clamping.
- • Unique database constraints prevent duplicate user accounts and duplicate workspace requests.
- • All user-supplied content is rendered through React's escaping — no
dangerouslySetInnerHTMLis used anywhere. - • File uploads sanitize filenames to prevent path traversal attacks.
- • The
needsSetupflag is not leaked to unauthenticated callers.
Incident Response
- • If you discover a security vulnerability, please report it to security@mainstaybia.com.
- • We will acknowledge receipt within 48 hours and provide a timeline for a fix.
- • Affected users will be notified within 72 hours of a confirmed data breach.
- • We do not currently offer a bug bounty program, but we credit responsible reporters.