Back to AdaptivMaprAdaptivMapr
Legal

Security

Last updated: June 3, 2026

1. Security at a glance

  • Stateless by design. No application database. Parsed uploads live in an in-process map with a hard 24-hour TTL and are discarded on process restart.
  • HMAC-signed API keys. Keys are self-contained, scoped credentials signed with MAPR_KEY_SECRET. There is no shared session store; revocation is enforced by a server-side deny-list checked on every request.
  • Schema-only by default. Only column headers and up to three sample row values per column (truncated to 80 characters) leave the customer. Full-data mode is delegated to PHI Gateway under a separate BAA.
  • 24-hour upload TTL. File caches expire automatically; there is no manual flush required and no opaque background retention.
  • BYO-LLM-key support. Customers can supply their own provider keys, in which case the call is made under their provider account and the LLM cost is removed from the per-call price.

2. Encryption

  • In transit: TLS 1.3 with modern ciphers (AEAD-only); legacy TLS 1.0/1.1 disabled at the edge; HSTS with preload directive.
  • At rest: AES-256 (GCM) for any persisted state — account database, audit logs, encrypted BYO-LLM credentials.
  • Key management: envelope encryption with KMS-managed root keys. BYO-LLM credentials are encrypted per-workspace with a unique data encryption key, wrapped by the KMS root.
  • Secrets: MAPR_KEY_SECRET,PHI_GATEWAY_URL, CHAINLOG_API_KEY and related secrets are injected at deploy time from Vercel encrypted environment variables; they are never committed to source control and never logged.

3. Access control

  • RBAC in the dashboard. Roles: Owner, Admin, Developer, Viewer. Role assignments are workspace-scoped and audit-logged.
  • Scoped API keys. Each key encodes its allowed mode (schema-only vs full-data), allowed endpoint family, and optional rate-limit override.
  • IP restrictions. Pro and Enterprise plans can bind keys to CIDR allow-lists enforced at the edge.
  • SSO. Enterprise plans support SAML 2.0 and OIDC single sign-on against the customer's IdP, with SCIM provisioning on request.
  • MFA. TOTP-based MFA is supported for all plans and enforced for Owner and Admin roles on Pro and Enterprise.
  • Audit logging. Authentication events, authorisation decisions, configuration changes, and mapping commits are written to an append-only audit log retained for seven years.

4. Network security

  • Edge. Cloudflare DNS and proxy in front of every public hostname, with always-on DDoS protection and a managed ruleset for OWASP Top 10 categories.
  • Application edge. Vercel edge functions and Frankfurt-region serverless runtime; static assets served from the Vercel CDN.
  • Security headers. CSP with default-src'none', HSTS with preload, COEP / COOP / CORP configured for the dashboard and Workbench, X-Content-Type-Optionsnosniff, Referrer-Policy strict-origin-when-cross-origin.
  • CORS. The REST API rejects browser-originated cross-origin requests; the embeddable Workbench whitelists customer-configured origins only.

5. Application security

  • Input validation. Every API route validates input with strict schemas before any downstream call; field-level validators (regex, iban, gtin, loinc, snomed, icd10, npi) gate mapping outputs.
  • Schema-only enforcement. Sample rows are clamped at the HTTP edge by clampForSchemaOnly() — there is no code path that lets full-row content into a schema-only workspace.
  • Rate limiting. Per-key sliding-window rate limiter enforced before any billable work begins; abusive patterns trigger automatic backoff and alerting.
  • Dependency scanning. Daily automated scans of npm dependencies (Snyk and GitHub Dependabot); critical vulnerabilities patched within 48 hours, high within 7 days.
  • Penetration testing. Annual third-party penetration test of the public API, dashboard, and Workbench. Executive summaries are available to Pro and Enterprise customers under NDA.
  • SAST. Static analysis runs on every pull request; merges to main require a clean run plus a human reviewer.

6. Infrastructure

  • Compute & hosting. Vercel (Frankfurt region primary, Dublin secondary).
  • DNS & edge. Cloudflare with EU PoPs preferred.
  • Account database. Supabase EU instance (Ireland) with point-in-time recovery enabled.
  • Billing. Stripe Payments Europe Ltd. (Ireland).
  • Email. Cloudflare Email Routing for transactional delivery; SPF, DKIM, and DMARC enforced.

All hosting providers above hold SOC 2 Type II reports; copies are available on request from each provider under NDA.

7. Compliance

  • SOC 2 Type II — observation window in progress; first attestation report expected before the end of the current fiscal year.
  • GDPR-aligned. Standard Contractual Clauses incorporated by reference in our DPA; subprocessor list maintained publicly.
  • nFADP-aligned. The Swiss Federal Act on Data Protection 2020 is treated as equivalent to GDPR for the purposes of customer obligations.
  • HIPAA-eligible via PHI Gateway. Customers requiring HIPAA coverage route full-data calls through PHI Gateway under a signed BAA; the BAA covers AdaptivMapr's role as a downstream agent.
  • CCPA / CPRA. We do not sell or share personal data within the meaning of California law.

8. Vulnerability disclosure

We welcome reports from security researchers. Please email security@adaptivmapr.com with:

  • A description of the issue and its potential impact;
  • Reproduction steps or a minimal proof of concept;
  • Your preferred attribution and contact for follow-up.

We commit to:

  • Acknowledging receipt within 2 business days;
  • Providing a triage status within 5 business days;
  • Coordinating disclosure within a 90-day window under a responsible-disclosure policy;
  • Not pursuing legal action against researchers acting in good faith and within the scope of this policy.

Out of scope: denial-of-service attacks, social engineering of AdaptivMapr personnel, physical attacks, and findings on third-party SaaS subprocessors (please disclose to the relevant vendor).

9. Incident response

  • RTO target. 4 hours for the public API and dashboard.
  • RPO target. 1 hour for the account database; near-zero for stateless API requests (idempotent retries supported).
  • Customer notification. We notify affected customers of any confirmed Personal Data Breach within 72 hours, consistent with our DPA Article 11.
  • Status page. Active incidents are surfaced at status.adaptivmapr.com; subscribe to receive email or webhook notifications.
  • Post-incident reviews. Customer-affecting incidents receive a written post-incident review within 10 business days, shared with affected customers.

10. Subprocessors

Our current list of subprocessors is maintained at /legal/dpa#subprocessors. New subprocessors are announced at least 30 days in advance.

11. Contact

Security disclosures: security@adaptivmapr.com. Data protection requests: dpo@adaptivmapr.com. General contact: hello@adaptivmapr.com.