Skip to main content
Back to Home

Security Policy

Draft — Pending Legal Review. Not legally binding.

Last updated:

Security is a core commitment at Mother AIOS, operated by Nerdic AI. This Security Policy describes the technical and organisational measures we implement to protect your data and maintain platform integrity.

1. Infrastructure security

The Mother AIOS platform is hosted on Vercel with Cloudflare as the edge network and CDN layer. All production infrastructure runs in isolated environments with:

  • Network-level isolation between tenants and environments.
  • Automated vulnerability scanning of container images on every deployment.
  • DDoS mitigation via Cloudflare.
  • Web Application Firewall (WAF) rules enforced at the edge.

2. Data encryption

  • At rest: All database data is encrypted using AES-256. Object storage in Cloudflare R2 uses server-side encryption by default.
  • In transit: All connections use TLS 1.2 or higher. HSTS is enforced with a minimum age of one year.
  • Secrets management: API keys and credentials are stored in environment-variable vaults and never committed to source control.

3. Authentication and access control

  • Authentication is handled by Clerk, which provides multi-factor authentication (MFA), brute-force protection, and session management.
  • All internal API routes require a valid session token. Unauthenticated requests are rejected at the middleware layer.
  • Row-level security (RLS) is enforced at the database layer — each request can only read and write data belonging to the authenticated brand, preventing cross-tenant data access.
  • Principle of least privilege: internal services and team members are granted only the permissions required for their role.

4. Application security

  • Dependencies are audited weekly via automated tooling. Critical vulnerabilities trigger an immediate patch release.
  • Input validation is enforced at every API boundary using Zod schemas.
  • AI-generated content is not directly executed; all workflow conditions use the filtrex safe expression evaluator rather than eval.
  • Content Security Policy (CSP) headers are applied on all responses.
  • SQL injection is prevented by Drizzle ORM's parameterised queries. No raw SQL interpolation is used in application code.

5. Penetration testing and audits

We conduct annual penetration tests performed by an independent third party. Results are triaged and remediated within SLA targets based on severity:

  • Critical: 24 hours.
  • High: 7 days.
  • Medium: 30 days.
  • Low: 90 days.

Executive summaries of penetration test reports are available to enterprise customers under NDA on request.

6. Incident response

We maintain a documented incident response plan that covers detection, containment, eradication, and recovery phases. In the event of a security incident affecting customer data:

  • We will notify affected customers within 72 hours of confirming the incident.
  • Notification will include: nature of the incident, data categories affected, likely consequences, and measures taken or proposed.
  • A post-incident review will be completed within 30 days.

7. Business continuity and backups

  • Database backups are taken every 6 hours with a 30-day retention window.
  • Point-in-time recovery (PITR) is enabled on the production database.
  • Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 6 hours.

8. Employee security

  • All team members complete security awareness training on joining.
  • Access to production systems requires MFA and hardware security keys.
  • Access is reviewed quarterly and revoked immediately on role change or departure.

9. Responsible disclosure

We welcome reports of security vulnerabilities. If you believe you have found a security issue, please email security@mother.ai with a description of the vulnerability and steps to reproduce. We commit to acknowledging all reports within 48 hours and providing a remediation timeline within 7 days. We request that you do not publicly disclose the issue until we have had the opportunity to address it.

10. Compliance

Mother AIOS is designed to help customers meet their obligations under GDPR and CCPA. A full Data Processing Agreement is available at Data Processing Agreement.

11. Contact

Security questions or reports: email security@mother.ai. General data protection queries: privacy@mother.ai.

Mother

One brain per brand. Your marketing, compounding every week.

© 2026 Mother