Last updated: 29 June 2026 · For customer and security-review use
Mastt AI turns meeting transcripts and email into structured minutes, tasks and actions for construction owner's representatives. This one-pager summarises how we protect customer data.
Hosting & infrastructure
- Hosted entirely on Microsoft Azure in a United States region. No customer data is stored or processed outside this region by us.
- Compute runs on Azure Container Apps; structured data on Azure Database for PostgreSQL (Flexible Server); uploaded files on Azure Blob Storage.
- We inherit Azure's physical, network and platform controls. Azure itself is independently certified (SOC 1/2/3, ISO 27001/27017/27018, and others); these underpin our infrastructure layer.
- Infrastructure is defined in code and built from a hardened container image that contains no embedded secrets or credentials.
Encryption
- In transit: all connections are served over HTTPS/TLS (1.2+). Plain-HTTP traffic is redirected to HTTPS. Connections to the database and to Azure Blob Storage are TLS-encrypted.
- At rest: all stored data — database and file storage — is encrypted using Azure-managed AES-256 encryption.
- Application-layer: third-party integration credentials (OAuth tokens) are additionally sealed with AES-256-GCM before storage, with a unique initialisation vector per record and authentication-tag verification on read.
Identity & access control
- Authentication is handled by a maintained auth framework. Passwords are salted and hashed one-way; a minimum length is enforced and plaintext passwords are never stored.
- Sessions use HTTP-only, secure, SameSite cookies, expire after 30 days and refresh daily.
- Role-based access control (owner / admin / member) is enforced server-side.
- Every authenticated route and server action passes through a single authorisation gate, so access checks are applied uniformly rather than per-endpoint.
Tenant data isolation
- Multi-tenant architecture with row-level isolation by organisation. Every record is scoped to an organisation ID, and queries are filtered by the authenticated user's organisation on the server — a user cannot read or write another organisation's data.
Application security
- SQL injection: all database access uses parameterised queries via an ORM; no string-concatenated SQL.
- Cross-site scripting: user-supplied content is escaped and rendered through a tag/URL allowlist (rejecting javascript:, data: and similar schemes).
- OAuth integration flows use signed state with constant-time signature verification to prevent forgery and CSRF.
- Secrets (API keys, signing keys) are supplied via environment configuration, never committed to source control or baked into images.
- Code is linted and type-checked in CI on every change.
Resilience & backups
- Azure Database for PostgreSQL provides automated backups with point-in-time restore, managed and geo-redundant within the US region per Azure's service configuration.
- Uploaded files are stored with Azure Blob Storage's built-in durability and redundancy.
AI / LLM processing
- Assistant and minutes/task generation call Anthropic's Claude API directly (current models: Claude Sonnet 4.6 and Claude Opus 4.7). Available models will update in line with Anthropic releases.
- Document semantic search uses Google's Gemini API directly to embed uploaded PDF pages and images, and to read (OCR) scanned PDFs. This runs only when enabled; without it, search falls back to keyword matching.
- Both are called over TLS with no third-party AI gateway or proxy. Neither Anthropic nor Google trains its models on the inputs or outputs of these API calls.
- See the Data Privacy Overview for exactly what data is sent to each model.
Monitoring & change management
- Application audit logging records key state changes (who did what, to which record). Platform diagnostics and logs are available through Azure.
- Changes ship through version control with peer review and automated checks.
- We run internal security reviews of the codebase and remediate findings on a risk-prioritised basis.
Security contact: security@mastt.com · Report a vulnerability to the same address.