Security Policy
Last updated:
Security is a core commitment at Mother AIOS, operated by Nerdic AI. This Security Policy describes the technical and organisational measures we implement to protect your data and maintain platform integrity.
1. Infrastructure security
The Mother AIOS platform is hosted on Vercel with Cloudflare as the edge network and CDN layer. All production infrastructure runs in isolated environments with:
- Network-level isolation between tenants and environments.
- Automated vulnerability scanning of container images on every deployment.
- DDoS mitigation via Cloudflare.
- Web Application Firewall (WAF) rules enforced at the edge.
2. Data encryption
- At rest: All database data is encrypted using AES-256. Object storage in Cloudflare R2 uses server-side encryption by default.
- In transit: All connections use TLS 1.2 or higher. HSTS is enforced with a minimum age of one year.
- Secrets management: API keys and credentials are stored in environment-variable vaults and never committed to source control.
3. Authentication and access control
- Authentication is handled by Clerk, which provides multi-factor authentication (MFA), brute-force protection, and session management.
- All internal API routes require a valid session token. Unauthenticated requests are rejected at the middleware layer.
- Row-level security (RLS) is enforced at the database layer — each request can only read and write data belonging to the authenticated brand, preventing cross-tenant data access.
- Principle of least privilege: internal services and team members are granted only the permissions required for their role.
4. Application security
- Dependencies are audited weekly via automated tooling. Critical vulnerabilities trigger an immediate patch release.
- Input validation is enforced at every API boundary using Zod schemas.
- AI-generated content is not directly executed; all workflow conditions use the
filtrexsafe expression evaluator rather thaneval. - Content Security Policy (CSP) headers are applied on all responses.
- SQL injection is prevented by Drizzle ORM's parameterised queries. No raw SQL interpolation is used in application code.
5. Penetration testing and audits
We conduct annual penetration tests performed by an independent third party. Results are triaged and remediated within SLA targets based on severity:
- Critical: 24 hours.
- High: 7 days.
- Medium: 30 days.
- Low: 90 days.
Executive summaries of penetration test reports are available to enterprise customers under NDA on request.
6. Incident response
We maintain a documented incident response plan that covers detection, containment, eradication, and recovery phases. In the event of a security incident affecting customer data:
- We will notify affected customers within 72 hours of confirming the incident.
- Notification will include: nature of the incident, data categories affected, likely consequences, and measures taken or proposed.
- A post-incident review will be completed within 30 days.
7. Business continuity and backups
- Database backups are taken every 6 hours with a 30-day retention window.
- Point-in-time recovery (PITR) is enabled on the production database.
- Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 6 hours.
8. Employee security
- All team members complete security awareness training on joining.
- Access to production systems requires MFA and hardware security keys.
- Access is reviewed quarterly and revoked immediately on role change or departure.
9. Responsible disclosure
We welcome reports of security vulnerabilities. If you believe you have found a security issue, please email security@mother.ai with a description of the vulnerability and steps to reproduce. We commit to acknowledging all reports within 48 hours and providing a remediation timeline within 7 days. We request that you do not publicly disclose the issue until we have had the opportunity to address it.
10. Compliance
Mother AIOS is designed to help customers meet their obligations under GDPR and CCPA. A full Data Processing Agreement is available at Data Processing Agreement.
11. Contact
Security questions or reports: email security@mother.ai. General data protection queries: privacy@mother.ai.