Data handling — encryption, storage, processing.
Concrete answers to the security questions every IT and Legal team asks before approving Mama. Encryption posture, storage location, processor list, security certifications.
TL;DR
AES-256 at rest, TLS 1.2+ in transit. Primary data in AWS us-east-1 (Company tier can request EU). 6 sub-processors (AWS, Stripe, Postmark, Crunchbase, ZoomInfo, Listen Notes) — full list at /security. SOC 2 Type II in progress (Q3 2026 target). GDPR-compliant DPA available on request.
01Encryption
- At rest: AES-256 via AWS KMS-managed keys for primary data; per-workspace key isolation on Company tier
- In transit: TLS 1.2 minimum, TLS 1.3 preferred. HSTS enforced.
- API keys / secrets: stored hashed (bcrypt) — we can never recover, only verify
- Database backups: encrypted with the same key hierarchy as primary storage
02Storage location
Primary data infrastructure: AWS us-east-1 (Northern Virginia). All persistent stores (Postgres, Redis, S3) live in this region.
Company tier customers can request EU residency — primary data moves to AWS eu-west-1 (Ireland). Available in addition to standard contractual commitments.
CDN edge for static assets is global (Cloudflare); no PII transits the CDN.
03Sub-processors
Full list, always current at /security:
| Vendor | Purpose | Data processed |
|---|---|---|
| AWS | Infrastructure | All workspace data |
| Stripe | Payment processing | Billing info only |
| Postmark | Transactional email | Email addresses + email content |
| Crunchbase | Firmographic data ingest | Public company data (no customer data sent) |
| ZoomInfo | Contact data ingest | Public contact data (no customer data sent) |
| Listen Notes | Podcast transcripts ingest | None (read-only) |
Adding a new sub-processor triggers email notice to all workspace admins, 30 days before activation.
04Internal access controls
Mama employees can access customer data only when:
- You explicitly request support and grant temporary access via the workspace settings
- A security incident requires access — audited and reported to affected customers
- Required by court order — we challenge invalid requests and notify customers when legally allowed
All employee access is audit-logged. Quarterly access review by the security lead.
05Certifications & assessments
- SOC 2 Type II — in progress, target Q3 2026. SOC 2 Type I report available now on request (under NDA).
- GDPR — DPA available on request, with EU-residency option for Company tier
- HIPAA — not currently — we don't process PHI
- ISO 27001 — under evaluation
06Vulnerability management
- Penetration test: annually by an independent firm, plus on every major release
- Dependency scanning: Snyk + GitHub Dependabot, every PR
- Bug bounty: private bounty via HackerOne, public planned for 2027
- Security report intake: [email protected] — PGP key on /security
07Breach notification
Per our DPA: notification within 72 hours of confirmed breach affecting customer data. Notification includes scope, root cause, remediation steps, and ongoing risk.
"Confirmed breach" definition: a security incident where unauthorized access to customer data is confirmed or strongly suspected. Suspected-but-unconfirmed incidents are still investigated within the same window but notification timing is contingent on confirmation.