Security

Last updated: June 25, 2026

Enzonic LLC takes the security of MAI seriously. This page describes the technical and organizational measures we employ.

1. Encryption

  • TLS 1.3 for all client and backend traffic.
  • AES-256-GCM for sensitive data at rest (custom API keys, mod sandboxes, voice transcripts).
  • Per-tenant data encryption keys with KMS-managed rotation.

2. Authentication

  • Clerk-managed sessions with short-lived JWTs.
  • Optional MFA via TOTP and WebAuthn.
  • OAuth providers (Microsoft, Google, GitHub, Discord) used in conjunction with Clerk's session model.
  • Suspicious-login detection and device fingerprinting.

3. Network and infrastructure

  • Cloudflare DDoS protection and WAF on all public endpoints.
  • Network segmentation: bot runtime, web tier, database, and mod sandboxes run in separate VPCs.
  • No inbound ports open on the bot runtime; outbound-only connections to the Minecraft server.
  • Mod sandboxes run in gVisor-isolated containers with read-only filesystems.

4. Application security

  • All inputs are validated against a strict schema.
  • Database queries are parameterized (Supabase + PostgREST).
  • Per-bot rate limits on chat, POV, training, and mod uploads.
  • CSRF protection on all state-changing endpoints.
  • Dependency scanning via Snyk and Dependabot on every PR.

5. Operational security

  • SOC 2 Type II controls (in progress; report available on request under NDA).
  • Background checks for all personnel with production access.
  • Annual third-party penetration test.
  • Quarterly tabletop exercises simulating ransomware and insider threats.

6. Vulnerability disclosure

Report suspected vulnerabilities to security@enzonic.com. Use our PGP key (fingerprint on the page). We acknowledge within 24 hours and provide remediation timelines within 72 hours.

7. Bug bounty

We offer monetary rewards for valid reports of critical and high-severity issues. Scope, rules, and reward tiers available at enzonic.com/security/bounty.

8. Compliance

  • GDPR — Data Processing Addendum at /legal/data-processing
  • CCPA — California Consumer Privacy Act disclosures in our Privacy Policy
  • COPPA — We do not knowingly serve users under 13.

9. Backups and recovery

Encrypted daily backups with 30-day retention. Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 1 hour. Backups are stored in a separate region from primary infrastructure.

10. Audit logging

All authentication events, billing changes, and configuration changes are logged with cryptographic chaining. Logs are retained for 1 year and available to customers on request.

MAI — AI Minecraft Agent Platform