Security at Mirvo

Our commitment

Mirvo is built for sales teams that handle sensitive business contact data. We take that responsibility seriously. This page describes the technical and organizational measures we have in place to protect your data. We aim to be transparent about what we do — and what we don't yet have in place.

Data encryption

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 at the storage layer by default.

Access controls & multi-tenant isolation

Row-Level Security (RLS) is enforced at the database level on all tables. Each workspace's data is isolated — a user in workspace A cannot access data from workspace B, regardless of application-level logic. This isolation is validated through automated integration tests that run against real data on every pull request.

Authentication

Authentication is handled by a managed auth provider using industry-standard session management. Sessions are scoped and expire automatically. Admin access to internal tooling uses a separate, hardened authentication path.

Security headers

Every Mirvo response includes a hardened set of HTTP security headers:

• —Content-Security-Policy (CSP) — restricts script and resource origins
• —HTTP Strict Transport Security (HSTS)
• —X-Frame-Options: DENY — prevents clickjacking
• —X-Content-Type-Options: nosniff
• —Referrer-Policy: strict-origin-when-cross-origin
• —Permissions-Policy — disables unused browser APIs

Code review & dependency scanning

Every pull request is automatically reviewed by an AI-powered security analysis tool before merge. Dependencies are regularly audited for known CVEs, and critical vulnerabilities trigger immediate patching.

Infrastructure providers

Mirvo is built on a carefully selected set of infrastructure providers. We describe them by category here. A complete list with names, locations, and data transfer frameworks (DPF/SCCs) is available in our Data Processing Addendum or by contacting privacy@mirvo.ai.

Data residency

Mirvo follows a hybrid data residency model:

• —EU-only: User account data, workspace data, and product analytics are stored and processed exclusively in EU data centers (Frankfurt region). No transfer outside the EU occurs for these categories.
• —US providers with safeguards: AI processing and email delivery involve US-based providers. Both operate under the EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs), which are the recognized legal mechanisms for cross-border transfers under GDPR.

We chose this approach to balance EU data residency for the most sensitive categories with access to best-in-class providers for AI and email, where EU-based alternatives do not yet meet our reliability requirements.

Incident response

In the event of a security incident affecting personal data, Mirvo follows a structured response process:

• —We notify the French data protection authority (CNIL) within 72 hours of becoming aware of a breach affecting EU users, as required by GDPR Article 33.
• —Affected users are notified directly without undue delay when the breach is likely to result in a high risk to their rights and freedoms.
• —A post-mortem describing the incident, its scope, and remediation steps will be published at status.mirvo.ai (coming soon) for material incidents.

To report a suspected security issue, email security@mirvo.ai. We treat all security reports seriously and aim to respond within 24 hours.

Roadmap

Mirvo is committed to obtaining SOC 2 Type II certification as we scale. We have not yet set a public timeline for this. We will update this page when certification milestones are reached.

Contact

Security questions: security@mirvo.ai
Privacy and data questions: privacy@mirvo.ai