Security

We treat your studio's data like it's our own.

Because in a real sense, it is. Our first customer is a London studio one of our founders runs. Whatever we ship has to be safe enough for that studio first.

01

Honest, not theatrical.

We're a small team. We tell you what we actually do, and what's on the roadmap. We don't claim certifications we haven't earned.

02

Customer data is not training data.

Our AI vendors are contractually barred from training their general-purpose models on your data. When we improve Mekkan's AI, we use aggregated, de-identified data only.

03

Tenant isolation lives on the server.

Owner identity is bound to each session on our backend, never trusted from the client. Studios cannot see each other's data even by tampering with a request.

04

Encrypted by default.

TLS for everything in transit. AES-256 at rest for application databases. Card data never touches our servers — Stripe handles it.

Controls in place today

What we've built so far.

Hosting & data residency

Application servers and primary databases are hosted on enterprise cloud infrastructure in the UK and EU. Personal data of UK and EU studios stays in this region. We document data flows to US-based sub-processors (Anthropic, ElevenLabs, Stripe) in our Privacy Policy and protect transfers using the UK IDTA or UK Addendum to the EU SCCs.

Encryption

All traffic between your browser, our servers, and our sub-processors is encrypted with TLS 1.2+. Application databases and backups are encrypted at rest with AES-256. Secrets and tokens are encrypted using cloud-provider key management. We do not store raw card numbers — Stripe handles all card processing and we only retain a Stripe customer reference.

Authentication & session security

Passwords are hashed with bcrypt (cost factor tuned for current hardware). Sessions are signed JWTs with short-lived expiry and refresh. Multi-tenant identity is enforced server-side on every request — the JWT carries an organisation reference that is validated against the requested resource. We have rate-limiting on authentication endpoints and structured audit logs on security-relevant events (login, password change, role grant).

Multi-tenant isolation

Every row in our database is scoped by organisation. Backend services derive organisation context from the authenticated session and apply row-level filtering — there is no API path that bypasses this check. Voice sessions with Leon bind the owner's organisation server-side at session start, so a tampered client cannot impersonate another studio.

AI vendor handling

Leon is built on Claude (Anthropic) and ElevenLabs voice. Both vendors operate under commercial terms that prohibit training their general models on our customer data. Voice transcripts are retained for 90 days (see Privacy Policy section 8) and then automatically deleted. Aggregated, de-identified data may be used for our own quality measurement and prompt tuning — never for third-party model training.

Backups & recovery

Application databases are backed up daily with point-in-time recovery within the past 7 days. Backups are encrypted with the same standard as the live database. We test recovery on a quarterly basis against a sample dataset. RPO and RTO targets are documented internally and shared on request for enterprise customers.

Access control & internal practice

Production access is restricted to founders and approved engineers, gated by MFA-protected accounts. We follow the principle of least privilege. Every privileged action against production data is logged. We do not access studio data for any reason other than support requests you raise, security investigations, or where legally required.

Monitoring & audit

Structured logs cover authentication events, role changes, billing events, and webhook deliveries. We retain audit logs for 12 months. Application errors and anomalies are surfaced to the on-call founder in near-real time.

Incident response

If we identify a security incident affecting your data, we contain it, investigate the scope, and notify you and the UK Information Commissioner's Office without undue delay — and, where required by law, within 72 hours. Our notification will describe what happened, what data was affected, the steps we've taken, and what (if anything) you should do.

Roadmap — what's next

What we're honest about not having yet.

We're at the stage where building real security primitives matters more than chasing certificates. Here's what's queued, in roughly this order:

  • Formal information security policy bundle (publishable on request)
  • External penetration test ahead of first enterprise customer
  • SOC 2 Type I — pursued once revenue supports the audit cost
  • Customer-facing audit log export (Pro and Scale)
  • SAML SSO for Enterprise

If you're an enterprise prospect and want to discuss any of these on a timeline, email hello@mekkan.ai.

Responsible disclosure

Found a vulnerability?

Email security@mekkan.ai with a clear description and reproduction steps. We will acknowledge within 48 hours, work with you in good faith on a fix, and credit you in our changelog once the issue is resolved (unless you ask us not to).

Please do not test against production studios that are not yours, do not run automated scanners that may degrade the service for other tenants, and do not access data beyond what is necessary to demonstrate the issue. Acting in good faith and within these boundaries means we will not pursue legal action.

See our Privacy Policy for the full picture on data handling and your rights under UK GDPR.

Leave it toMekkan.

7 days free. Cancel anytime.

Start 7-day trialSee pricing