MITPOMITPO
Docs
DemoOpen App
OverviewQuick StartDemo vs full
Marketing FoundationsBrand SetupCampaignsCreative StudioCompetitor IntelAutomationMarketing Assistant
FAQSecurityTroubleshootingChangelog
  1. Home
  2. Docs
  3. Security & data handling

Reference

Security & data handling

What MITPO stores, how it is protected, and how your data flows through the platform.

Platform controls

Security basics for operators who want to know where their data sits

This page describes the controls that are in place today. It does not claim certifications MITPO has not yet earned — the goal is accurate description, not sales-grade security theater. Formal attestations and the full Trust Center land as separate publish events.

  • For the formal DPA, sub-processor list, and vulnerability-reporting path, see the Trust Center (forthcoming).
MITPO security and workspace controls

Trust controls

Security documentation should be direct and specific

This view frames account, workspace, and generated asset controls in language operators can evaluate.

Read security

Data we store

We store the data required to deliver the product: your account, the brand and audience context you teach the system, the generations you produce, and the messages in your threads. We do not train general foundation models on your content.

A trust and security control view showing workspace permissions and data boundaries
Security documentation should describe real controls clearly and avoid overstating certifications.
CategoryWhatRetention
AccountEmail, hashed password or OAuth identifier, name.Until account deletion.
Brand + audienceUploaded documents, extracted context, voice rules.Until you delete the record.
GenerationsImage/video/speech outputs and associated prompts.Soft-deleted for 30 days, then purged.
Chat + threadsMarketing Assistant transcripts + memory.Persistent; memory GC rolls off inactive items after 365 days.
BillingStripe customer record + credit ledger.As required by tax/accounting law (7 years).

Auth and isolation

Authentication is handled by Better Auth with either email/password or OAuth (Google, GitHub). Sessions are cookie-based with cross-subdomain scope for marketing + app. Row-level security is enforced at the database layer so users can never see another tenant's data — even if an app-level bug tried to query across tenants.

  • Email/password plus OAuth SSO (Google, GitHub) via Better Auth.
  • Postgres row-level security FORCE on user, session, account, verification, brand, and generation tables.
  • Session cookies are HTTP-only and secure-flagged in production.
  • API routes are gated at the middleware layer; unauthenticated requests to app paths 307 to login.

Encryption + transport

Traffic between your browser and the app is TLS. Data at rest in Postgres is encrypted by our hosting provider. Generated assets (images, videos, audio) live in a private object-store bucket and are served only via short-lived signed URLs through an authenticated streaming route — never a raw public link.

  • TLS in transit (HTTP Strict Transport Security enabled).
  • Provider-level encryption at rest for database and object storage.
  • Signed URLs for asset access, 60-second expiry on re-sign, ownership check per request.

AI providers

MITPO orchestrates multiple underlying AI providers. Your prompts and the assets you generate are sent to the provider you select in the model picker (or the default for your plan). We do not share data between providers beyond what is required to fulfill the specific generation you requested.

See also

  • Privacy Policy

    The full statement of what we collect, why, and your rights.

  • Legal & Trust

    Sub-processors, AI use policy, and other disclosures.

Incident response

If a security incident occurs, we notify affected users within the timeline required by applicable law (generally 72 hours for material incidents). Ongoing status is published to the legal page and, for widespread incidents, to the landing banner.

Previous

FAQ

Next

Troubleshooting

On this page

  • Data we store
  • Auth and isolation
  • Encryption + transport
  • AI providers
  • Incident response
MITPOMITPO© 2026 MITPO
PrivacyTermsBlogGitHub