Last updated May 22, 2026

Security, documented honestly.

Mama is built for outbound teams at companies that run real security reviews — so this page exists to make those reviews fast. Encryption at rest and in transit, US default with EU residency on Pro, SOC 2 Type II under NDA, custom DPA on request, audit log retained 12 months. If a vendor security questionnaire (CAIQ + custom) is what's blocking you, email [email protected] — most teams get a response and signed NDA within 5 business days.

Request SOC 2 + DPA → See sub-processors

Encryption

AES-256

at rest · TLS 1.3 in transit

Residency

US default

EU + custom on Pro

SOC 2

Type II

under NDA · active audit

Audit log

12 months

retention · SIEM webhook

Compliance & frameworks

Six frameworks we're actually aligned to.

Honest about what's available now vs. what's in progress. We don't claim certifications we haven't earned — if a row says In progress, it means we're under active audit or alignment work.

In progress

SOC 2 Type II

Active audit cycle with a Big-4 firm. Type I report available now under NDA. Type II report expected end of Q3 2026. Customers under enterprise review get a letter of attestation from the auditor immediately on request.

Available

GDPR + Custom DPA

Full GDPR alignment. Custom DPA available on request — we'll review yours or send ours. Standard Contractual Clauses (SCC) for EU↔US transfers. Data Privacy Framework membership filed.

Available

CCPA / CPRA

Compliant with California Consumer Privacy Act and CPRA. Customers can submit data subject access, deletion, and opt-out requests through [email protected] — turnaround under 30 days as required.

Available

Annual pen test

Independent penetration testing every 12 months by a recognized firm (Cure53-tier). Executive summary available under NDA; full report restricted to enterprise-tier customers. Latest test passed with zero high-severity findings.

Available

Vendor questionnaires

CAIQ-aligned answers, custom questionnaires (SIG, VSA, custom) turned around within 5 business days. We've handled ~80 enterprise security reviews across customers — happy to introduce you to a customer's security team if helpful.

ISO

In progress

ISO 27001

Pre-audit alignment work in progress. Expected certification mid-2027. For now: most ISO 27001 controls map to our SOC 2 Type II scope; we can share the controls matrix under NDA if it's the gating compliance ask.

Data handling

Where data lives. How long it stays. Who can see it.

Plain-English answers to the four data-handling questions every security reviewer asks. Detail level deliberately matches what an engineer would write into a runbook — not what a marketer would put on a slide.

Encryption in transit

TLS 1.3

All client connections terminate on TLS 1.3 with HSTS enforced (max-age=31536000; includeSubDomains; preload). Internal service-to-service traffic uses mTLS with rotated certificates. No plaintext anywhere in the request path — including in logs.

Encryption at rest

AES-256-GCM

All customer data encrypted with AES-256-GCM. Keys are managed by AWS KMS with annual rotation; per-tenant data envelope keys are rotated quarterly. Backups inherit the same encryption. Database snapshots are encrypted independently and retained for 30 days.

Data residency

us-east-1 / eu-west-1

Default region: us-east-1 (AWS Virginia). On Pro, customers can elect eu-west-1 (AWS Ireland) at workspace creation, or request custom residency (us-west-2, ap-southeast-2). Region election is workspace-scoped — your data does not leave the elected region for any reason except cross-region disaster recovery (also encrypted, same region pair).

Retention & deletion

configurable

Brief history: 30 days (Solo), 12 months (Team), unlimited (Pro). On account deletion, customer data is purged within 30 days from primary and secondary storage; backup snapshots roll off within 90 days. Right-to-deletion requests processed within 30 days as required by GDPR/CCPA. Audit log retention: 12 months on Pro.

Access & security operations

How we keep our own house clean.

Customer-facing security is only as strong as our internal practices. Here's the operational layer — auth, access control, employee policies, vendor reviews — that sits behind the encryption and compliance work.

SSO

Single sign-on (SSO)

Customer-side: included on Team and Pro at no extra cost. Supported providers: Google Workspace, Okta, Microsoft Entra ID, any SAML 2.0 IdP. Self-serve setup takes ~10 min via metadata URL or XML upload. SCIM 2.0 provisioning available on Pro for auto add/remove based on directory groups.

MFA

Multi-factor auth

MFA required for all Mama employees with access to production systems (no exceptions). Customer-side MFA is required by default; SSO-managed accounts inherit IdP-level MFA settings. WebAuthn / hardware-key (YubiKey) supported on Pro.

RBAC

Role-based access

Three built-in roles (Admin · Manager · Rep) with per-workspace scoping. Internal access: least-privilege model — engineers get production read-only by default; production write requires step-up auth + paired approval; data access by support staff logged in the customer audit log.

LOG

Audit log

Every admin action (seat invites, role changes, ICP rubric edits, integration credential rotations, SSO config changes, API key lifecycle, data exports, support-staff access). Retained 12 months on Pro, exportable to CSV, pushable to your SIEM via webhook (Splunk, Datadog, Sumo Logic tested).

REV

Access reviews

Quarterly internal access reviews — every employee's permissions to every system reviewed and re-attested by the engineering lead. Stale credentials revoked within 24 hours of role change or offboarding. Joiner/mover/leaver process documented and tested annually.

Background checks

All employees with production access undergo background checks at hire (US: standard 7-year criminal + employment verification; outside US: equivalent). Confidentiality & data-handling training on day one and annually thereafter.

VND

Vendor reviews

Every sub-processor reviewed annually — SOC 2 attestation pulled, DPA on file, breach-notification clause in place. We don't onboard a vendor that handles customer data without a signed DPA. Full sub-processor list below.

Incident response

Documented IR runbook. Customer notification within 72 hours of confirmed personal-data breach (GDPR-aligned). Tabletop exercise run twice per year. On-call rotation covers 24/7. If you're reporting a vulnerability, email [email protected] — we acknowledge within 24 hours.

Sub-processors

Every vendor that touches your data, listed.

No "and others" line. No vague "third-party providers." Every sub-processor we use, what they do, where they store data, and what category of customer data they see. Updated when the list changes; subscribe to changes if you need notification under your DPA.

Sub-processor	Purpose	Region	Data accessed
AAmazon Web Services	Cloud infrastructure · compute · storage	us-east-1 / eu-west-1	All customer data
PPostgreSQL (managed)	Primary database	us-east-1 / eu-west-1	All customer data
SStripe	Payments & billing	us-east / global PCI	Billing data only
AAnthropic	LLM inference (brief synthesis)	us-east	Signal data · no PII
OOpenAI	LLM inference (fallback)	us-east · zero-retention API	Signal data · no PII
LResend	Transactional email	us-east	Email + name only
SSlack	Internal team comms	us-east	No customer data
LLinear	Issue tracking	us-east	No customer data
11Password	Secrets & credentials	us-east + Canada	No customer data
VVanta	Compliance automation	us-east	Metadata only · no customer data

Notification of changes: we'll update this list at least 14 days before adding a new sub-processor that handles customer data, and email subscribers via the security mailing list. Subscribe to changes · Request the full vendor security matrix (under NDA).

Security team direct

Need the report? Email security.

SOC 2 Type II, custom DPA review, vendor security questionnaire (CAIQ, SIG, custom), penetration test executive summary, data residency election, customer reference for security review — all handled at [email protected]. Response within 24 hours, signed NDA within 5 business days, full report within 7.

[email protected] → View DPA

Reporting a vulnerability? Same address · we acknowledge within 24h