Back to Mira
Security

How Mira protects your investigations

Your searches, your logins, and your reports are private to you and your team. Nobody at Insight AI Systems browses your investigations. Nobody outside your organisation can see them. Here’s exactly how we enforce that — written in plain English so you can decide for yourself.

Our promise

Mira is a high-trust research platform used by lawyers, lenders, accountants, and business owners to make decisions about real people and real companies. Trust is the product. We design every feature with one rule: the only people who should ever see your work are people you authorise.

We do not sell your data, we do not share it with third parties for marketing, and we do not use your investigations to train AI models.

What we protect

  • The names, companies, and identifiers you ask Mira to research.
  • The transcripts of your voice conversations with Mira and your PA.
  • The reports our specialist agents produce for you.
  • Your sign-in credentials and account details.
  • Your billing information (handled by Stripe — we never see your card number).

How we protect it

Tenant isolation

Every record in our database is tagged to your organisation. The database itself refuses to return another organisation’s data, even if our application code asks for it.

Row-Level Security on every table

Access rules are enforced at the database layer, not in the user interface. A bug in our app cannot leak data because the database is the gatekeeper.

Encryption

TLS 1.2 or higher in transit on every connection. Data at rest is encrypted by our managed cloud provider.

Strong authentication

Email and password (with leaked-password screening), Google sign-in, or SAML 2.0 single sign-on for enterprise tenants. Email verification is required. Public sign-up is disabled — Mira is invite-only.

Roles that can’t escalate

User roles live in their own database table and are checked through a privileged function. A compromised account cannot grant itself admin rights.

Verified webhooks

Every payment notification from Stripe is signature-verified before we touch the database, using a constant-time comparison to prevent timing attacks.

Continuous scanning

Aikido scans every code change for vulnerabilities, exposed secrets, vulnerable dependencies, and misconfigured infrastructure.

Append-only audit

Sign-in events, payment events, integration syncs, and admin actions are written once and cannot be modified afterwards.

Backups & recovery

Point-in-time recovery on the primary database, managed by our cloud provider.

Who can see your data

Only members of your organisation that you have invited. Insight AI Systems engineers do not browse customer investigations. The only time an engineer accesses tenant data is when you raise a support ticket and explicitly grant access in writing — and that access is logged.

We do not sell or share your data with third parties for advertising or marketing. We do not use your inputs or outputs to train AI models.

Authentication options

  • Email + password with leaked-password (HIBP) screening on every change.
  • Google sign-in.
  • SAML 2.0 single sign-on for enterprise tenants — domain-bound.
  • Email verification required before first sign-in.
  • Public sign-up disabled — accounts are invite-only.

Reporting a security issue

If you believe you have found a vulnerability, please email alan@chattomira.com with the subject line SECURITY — <short summary>. We acknowledge inside one business day (NZ time). Full disclosure rules, in-scope hostnames, and SLAs are documented in our public SECURITY.md.

What’s on the roadmap

We’re honest about what we don’t yet have. The following are planned but not in place today:

  • SOC 2 Type II report
  • ISO 27001 certification
  • Formal third-party penetration test
  • SCIM auto-provisioning for enterprise tenants

If your procurement process needs any of these to evaluate Mira, contact us and we’ll share our current timeline.

Last updated 13 June 2026.