Security

Mighty is designed to screen untrusted documents, images, and extracted text before regulated workflows trust them. This page summarizes the hosted service posture at a practical level; deployment-specific controls are confirmed during security review.

Infrastructure Security

Cloud Infrastructure

Hosted Mighty deployments use cloud infrastructure with security controls appropriate for API-based document scanning:

• Network segmentation appropriate to the deployment
• Rate limiting and abuse controls where configured
• Cloud-provider protections for availability and traffic handling
• Security review for customer-specific deployment posture

Enterprise Deployment Review

For enterprise customers, deployment, processing, and retention controls can be reviewed during procurement and security diligence.

Application Security

Secure Development

• Security-focused review for sensitive code paths
• Dependency vulnerability review
• Secrets handling and environment separation
• Deployment review before production rollout

Authentication & Authorization

• API key authentication for scan requests
• Team access controls in the dashboard
• API key rotation and revocation workflows
• SSO and MFA requirements reviewed for enterprise deployments

Data Protection

Processing Guarantees

When you send content through our API for scanning:

• Scan content is processed for the purpose of returning a result
• Retention settings should be configured and documented by deployment
• No content is used for model training without explicit consent
• Audit logs capture metadata only, not content (configurable)

Data Isolation

We implement strict data isolation between customers:

• Tenant-aware API key namespaces
• Access controls for dashboard and API usage
• Audit metadata separated by customer context
• Data isolation reviewed as part of deployment diligence

Abuse Prevention

We monitor for abuse, fraud, and service disruption attempts. We may throttle, block, or suspend access to protect customers and our infrastructure.

Responsible Disclosure Policy

We value the security research community and welcome responsible disclosure of vulnerabilities. If you discover a security vulnerability in Mighty, please report it to us responsibly. We aim to acknowledge reports promptly and work with you to understand and resolve the issue.

Reporting a Vulnerability

Please send vulnerability reports to security@trymighty.ai. Include the following in your report:

• Description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any proof-of-concept code or screenshots
• Your contact information for follow-up

What We Ask

• Give us reasonable time to investigate and fix the issue before public disclosure
• Do not access, modify, or delete data belonging to other users
• Do not perform actions that could impact service availability
• Do not use automated scanning tools that generate excessive traffic

What We Promise

• Acknowledge good-faith reports promptly
• Provide regular updates on our progress
• Credit you in our security acknowledgments (if desired)
• Not pursue legal action against good-faith security researchers

Security Updates

We notify customers of material security updates that affect their use of the hosted service. Critical fixes are prioritized based on severity, exploitability, and customer impact.

Contact

For security-related inquiries or to report a vulnerability:

Email: security@trymighty.ai

PGP Key: Available upon request

For general inquiries, please contact hi@trymighty.ai.