Security

Last updated: 2026-05-15

Security is a precondition for everything else Minima Technologies, Inc. ("Minima") does. This page describes the controls we have in place today and the practices we commit to as the platform grows. It is intentionally specific so that customers, auditors, and security researchers can hold us to it.

All traffic between your client and Minima is encrypted in transit using TLS 1.2 or higher. Internal service-to-service traffic between our application servers, databases, and worker fleet runs over authenticated, encrypted channels.

Data at rest is encrypted by our underlying providers. Convex stores your canonical project data on AWS infrastructure with disk-level encryption. Worker disks on Fly.io are encrypted, and object storage for rendered media uses server-side encryption. Payment data is held by Stripe; we never store raw card numbers.

Minima uses Better Auth for sign-in. We support modern, phishing- resistant methods alongside familiar OAuth providers, and we hash every API key before storing it.

• OAuth sign-in with Google, Apple, and GitHub. We request only the email, profile, and openid scopes needed to identify you.
• Passkeys (WebAuthn) for password-free, phishing- resistant sign-in on supported devices.
• Multi-factor authentication available on every account; required for organization administrators.
• Hashed API keys: secret values are shown once at creation and stored only as a hash. Lost keys must be rotated.

Production access to systems holding customer data is restricted to a small number of named engineers. Access is granted on a least- privilege basis and reviewed regularly.

• Role-based access control for organization members, with admin, editor, and viewer roles.
• Audit logging for administrative actions on customer content and for API-key creation, rotation, and deletion.
• Least-privilege production access: engineers access customer data only when necessary to investigate a support request, debug a defect, or respond to an incident.

We rely on a small set of well-understood, security-mature providers. Each is bound by a Data Processing Agreement.

• Convex hosts our primary database, real-time sync, and serverless functions on AWS.
• Fly.io runs the AI worker pool and rendering pipelines (audio, image, video).
• Stripe handles payments. Stripe is a PCI DSS Level 1 service provider; raw card data never touches Minima.
• Cloudflare fronts our public surface for CDN and edge protection.

We deploy workers regionally as we expand. EU customer traffic is routed to EU regions when those plans become available, so that worker compute happens close to the user.

We maintain an incident response runbook covering detection, containment, forensic preservation, regulator notification, customer notification, and post-incident remediation. We rehearse it.

If a personal-data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of it, in line with Article 33 of the GDPR. Affected users will be notified without undue delay where the risk is high.

If you believe you have found a security issue in Minima, please email security@minima.dev with a clear description and reproduction steps. We aim to acknowledge reports within two business days.

In scope: the public Minima web app, the Minima API, the desktop downloads on this site, and any service running on a minima.dev domain. Out of scope: denial-of-service testing, social engineering of our staff or vendors, physical attacks, and automated scanner findings without a working proof of concept.

We will not pursue legal action against researchers who act in good faith, follow this scope, give us a reasonable opportunity to fix issues before public disclosure, and avoid accessing or exfiltrating data beyond what is needed to demonstrate the issue.

Minima is an early-stage product. We do not yet hold our own SOC 2 or ISO 27001 certifications. We rely on certified vendors for the foundational layers — AWS, Stripe, our authentication and hosting providers — and we are tracking certification work as the company matures. We will update this page as that posture changes.