Trust

Security overview

LAST UPDATED · 17 JULY 2026

This page describes how Mithrandir approaches security — in the product we are building and on this website — and how to reach us about a vulnerability. We are an early-stage company; everything below is written to be verifiable, not aspirational. Where something is planned rather than shipped, it says so.

1. How Mithrandir handles access

Most enterprise AI systems retrieve everything and then instruct the model to be discreet about what it shows. Prompt-level rules can be argued with. Mithrandir's access control is structural: permissions define what the system can retrieve for a given user, before any model is involved.

  • Restricted content never enters the model's context. Information a user is not cleared for is never assembled into the prompt, so no jailbreak or paraphrase can extract what was never there.
  • Answers are complete per clearance level. Two people asking the identical question each get an answer that is complete for their access level — not an error, not a redaction, and never a leak.

This is a description of the product's architecture, not a certification. Design partners can verify these properties directly against their own data during onboarding.

2. What this website stores

This site is a landing page with a waitlist. The full picture:

  • Waitlist entries — your email, an optional note, and a timestamp, stored in Supabase. The site talks to the database with an insert-only key under row-level security: the public API can add an entry but cannot read the list back (only an aggregate count).
  • IP addresses — processed transiently for rate limiting (Upstash). Not stored with your waitlist entry.
  • Analytics — Vercel Analytics, which is cookieless and does not track you across sites.
  • Email — Resend sends a single welcome email when you join; replies go to a founder's inbox.

Details on your rights and data handling are in the Privacy Policy.

3. Security measures on this site

  • HTTPS everywhere with HSTS (preload, includeSubDomains), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a strict referrer policy, and a restrictive permissions policy.
  • Insert-only row-level security on the waitlist table — no read, update, or delete path from the public API.
  • Per-IP rate limiting on form submissions.
  • No accounts, sessions, or authentication surface on this site at all.

4. Deployment model

Mithrandir is being designed so that your knowledge does not have to leave your infrastructure: deployment inside your own VPC or fully self-hosted is part of the product direction we are shaping with early design partners. If your organization has hard requirements here, tell us — this is exactly the stage where they influence the architecture.

5. Compliance roadmap

We are pre-launch and hold no security certifications today — we will not claim otherwise. SOC 2 is on the roadmap for after launch, and we are building logging, access review, and change management practices with that audit in mind from the start.

6. Reporting a vulnerability

If you believe you have found a security issue on this site or in anything we ship, email trymithrandir@gmail.com. We read every report and will acknowledge yours within a few business days. Machine-readable details live at /.well-known/security.txt. We do not run a bug bounty program yet; we still want to hear from you, and we will credit you if you would like.

7. Contact

Security questions from your team — CISO review, vendor assessment, questionnaires? Email trymithrandir@gmail.com and a founder will answer directly.

← Back to home