Security
Where your data lives, who sees it, how to report issues
The short version of how mandatiq handles your data. The full picture lives in the Privacy Policy; this page is the operational summary an engineering team can scan in a minute.
Where your data lives
- Application + database: Supabase (eu-central-1 region) — managed Postgres + auth, EU-hosted.
- Web app: Vercel — request handling and the marketing site. Functions run in EU regions by default.
- Scanner workers: Fly.io (
fraregion, Frankfurt) — the headless browser that runs your accessibility scans. - Rate limiting: Upstash Redis (EU region) — short-lived counters only, no scan content.
- Email: Resend (US-hosted) — transactional only (scan results, billing). Customer email addresses are stored at Supabase in EU region.
- Payments: Stripe Payments Europe Ltd (Ireland). Card numbers never touch our servers.
Customer scan data — URLs, HTML snippets, screenshots, AI fix suggestions — stays in the EU. The non-EU sub-processors above are bound by Standard Contractual Clauses (2021/914) and the EU–US Data Privacy Framework where applicable.
Who has access
- Production access is restricted to a small number of admins and gated by SSO + hardware security keys.
- Sub-processors only see what their role requires (e.g. Cloudflare sees request headers, Stripe sees billing addresses, Anthropic sees rule IDs + short HTML snippets — no full pages, no PII).
- We do not sell, rent, or share customer data with third-party advertisers or data brokers under any circumstances.
What we send to AI providers
AI fix suggestions are generated by the Claude API (Anthropic PBC). For each violation we send: the WCAG criterion ID, the failing rule (e.g. color-contrast), and a short HTML snippet of the failing element. We do not send full page HTML, screenshots, customer names, or any account metadata. Anthropic does not train on data sent through their API.
Encryption
- In transit: TLS 1.2 or newer between the browser, our application, and every sub-processor listed above.
- At rest: storage-level encryption provided by each sub-processor (Supabase, Fly.io volumes, Upstash).
- API keys are stored hashed (SHA-256); the plaintext is shown to you exactly once when you create the key.
Abuse + bot defence
The free anonymous scanner is gated by Cloudflare Turnstile (privacy-respecting CAPTCHA, no third-party cookies), per-IP and per-domain daily limits, and a global daily budget cap to keep the system available during traffic spikes or scripted abuse.
Reporting a security issue
Email security@mandatiq.com with a description and a way to reach you for follow-up. We aim to acknowledge within 72 hours and to ship a fix or a mitigation as quickly as the severity allows. Please do not file public GitHub issues for unpatched vulnerabilities. Researchers should also read our SECURITY.md for the in-scope/out-of-scope list, embargo policy, and known accepted risks.
Questions about the data we collect, retention windows, or your GDPR rights as a data subject belong on the Privacy Policy — that's the legally-binding source.