Cybersecurity Policy

All communications between your device and the Mulabee servers are encrypted using HTTPS with TLS 1.3, the most modern and secure protocol available. This ensures that no transmitted information can be intercepted or manipulated by malicious third parties.

Our SSL certificates are automatically renewed and continuously monitored for any security anomalies.

User passwords are never stored in plain text. We hash passwords using bcrypt with a cost factor of 12 rounds, rendering brute-force decryptions computationally unfeasible, even in the event of a database leak.

Users registering or signing in through social OAuth (Google, Apple, Facebook) do not have password hashes stored on our servers — authentication is fully handled and trusted to the respective identity provider.

User sessions are managed using cryptographically secure tokens:

• 256-bit random tokens generated with crypto.randomBytes(32).
• Only the cryptographic hash of the token is stored in the database, never the actual token itself.
• Session cookies are configured with the HttpOnly flag (inaccessible via JavaScript) and the Secure flag (only transmitted over HTTPS).
• Sessions automatically expire after 30 days of inactivity.
• Upon logging out, the session token is immediately invalidated in the database.

Mulabee integrates Stripe to process all subscriptions. Stripe is certified as a PCI-DSS Level 1 Service Provider, the absolute highest standard in the payments industry. This ensures that:

• Sensitive financial data and card numbers never touch our servers.
• Stripe encrypts all transaction details using bank-grade AES-256.
• Payments are protected against fraud using real-time machine learning (Stripe Radar).
• Complete compliance with GDPR, PSD2, and international financial regulations.

Our production databases are hosted on Neon (PostgreSQL serverless), which provides robust security features:

• Encryption of all data at rest using AES-256.
• Automatic, secure backups with isolated retention.
• Strict tenant isolation.
• Secure connections enforced through TLS.
• SOC 2 Type II compliance.

Database credentials are never stored in our codebase — they are loaded securely via runtime environment variables.

We deploy layers of defense to protect against frequent web application threats:

Business branding images, logos, and portfolio uploads are stored securely on Cloudinary:

• Images are served through a global CDN over secure HTTPS links only.
• Cloudinary operates in compliance with ISO 27001 standards.
• Executables and potentially unsafe file formats are blocked — we validate and allow only clean image formats (PNG, JPG, WebP).
• File size limits are strictly enforced (maximum 5 MB per image).

If you identify a security vulnerability within Mulabee, we kindly ask that you report it to us responsibly before disclosing it publicly.

Please report details directly to: leonardorincon0092@gmail.com

To help us address the issue quickly, please include a clear description of the vulnerability, steps to reproduce it, and its potential impact. We commit to responding within 72 hours and keeping you updated as we resolve it.

In the unlikely event of a security breach affecting personal data, we are committed to:

• Notifying all affected users within 72 hours.
• Providing a detailed explanation of the incident and what information was involved.
• Outlining the steps we have taken to mitigate the impact and secure the platform.
• Reporting the breach to the relevant data protection authorities as required by law.