Mentionwell

Trust

Security

Last updated

Plain-language overview of how Mentionwell is engineered for security. For a counter-signed Data Processing Addendum, see /dpa. For the active subprocessor list, see /subprocessors.

1. Infrastructure

The dashboard, public API, and pipeline workers run on managed cloud platforms (Railway and Cloudflare). Customer data is stored in managed Postgres on Supabase and object storage on Cloudflare R2. The marketing site is a static Astro build served from edge CDN.

2. Authentication and access

  • Per-site read-only API keys with rotation.
  • Session cookies with secure attributes (HTTPS-only, SameSite, HTTP-only) for the dashboard.
  • Cron-secret-protected internal endpoints; no implicit trust between services.
  • Engineer access to production is least-privilege and reviewed quarterly.

3. Encryption

  • In transit: TLS 1.2 or higher on every public endpoint, including marketing, dashboard, API, and feeds.
  • At rest: provided by our database (Postgres on Supabase) and object storage (Cloudflare R2) subprocessors.
  • Secrets: API keys, model credentials, and webhook secrets are stored in a secret manager and never written to logs.

4. AI provider boundaries

The Service calls Anthropic and OpenAI commercial APIs to generate article content. Per provider terms in effect at the time of this writing, content sent through commercial APIs is not used to train provider models. We pass only the content needed to fulfill your request and never send your account credentials.

The full subprocessor list, including AI providers and their privacy policies, is at /subprocessors.

5. Monitoring and incident response

  • Application and pipeline logs are retained for at least 30 days; security-relevant logs longer.
  • Anomaly and error rates are monitored continuously.
  • If a Security Incident affecting customer data is confirmed, we will notify affected customers within 72 hours of confirmation, with the information available at that time.

6. Data isolation

Customer data is logically isolated by site identifier. We do not share article content across customer sites, and our generation pipeline does not cross-contaminate one customer's brand profile into another's. Generated images are stored in customer-keyed paths in object storage.

7. Personnel

  • Engineers and operators who can access production are bound by confidentiality obligations.
  • Production access is logged and reviewed.
  • Onboarding and offboarding follow a documented checklist (account provisioning, key rotation, access revocation).

8. Compliance roadmap

Mentionwell is in public preview. We are working towards SOC 2 Type II readiness. Customers under a Data Processing Addendum receive advance notice of changes to subprocessors and may request our latest security questionnaire response by emailing security@mentionwell.com.

9. Vulnerability disclosure

If you believe you have found a vulnerability, please report it responsibly:

Please do not test against accounts other than your own, do not exfiltrate data beyond what's needed to demonstrate the issue, and give us reasonable time to remediate before public disclosure. We will acknowledge reports within 3 business days and keep you updated on the fix.

10. Contact

Security: security@mentionwell.com · Privacy: privacy@mentionwell.com

See also

Data Processing Addendum Subprocessors Privacy Policy security.txt