Security
Last updated: 12 May 2026
A non-technical overview of how we protect your dreams, your account, and your billing data. The full commitments live in section 1.12 of our Privacy Policy.
Encryption
- All traffic between you and Matins is encrypted with TLS 1.2 or higher.
- All data at rest is encrypted with AES-256.
- Audio captures are stored as encrypted objects with private access.
Access control
- The database enforces row-level security: a user can only read their own rows.
- Production access is limited to a small named engineering group.
- Multi-factor authentication is required for every administrative interface.
- All production access is audit-logged.
Secrets and keys
- API keys and credentials live in a managed secret vault.
- Secrets are never committed to source code or build artefacts.
- Keys are rotated on a regular schedule and immediately on suspicion of exposure.
Backups
- Encrypted backups run continuously with point-in-time recovery.
- Backups are stored in a separate region from the primary database.
- Deletions you make propagate to backups within 30 days.
Application security
- Every code change passes automated security scans before deployment.
- Inputs are validated server-side and rate-limited at the edge.
- We use a content-security policy and strict same-origin defaults.
- We do not embed third-party advertising scripts.
AI processing
- Dream content sent to language model providers (OpenAI, Google, Anthropic) is processed under no-training agreements. Your dreams are not used to train third-party models.
- We do not train our own models on your dream content.
Incident response
- A documented incident-response process is rehearsed each quarter.
- If a personal-data breach affects you, we will notify you within 72 hours of becoming aware of it, as required by UK GDPR.
Responsible disclosure
If you believe you have found a security vulnerability, please write to security@matins.ai. We respond within two working days and will credit you, with your permission, after a fix is shipped. Please do not test against other users' accounts or attempt to access data that is not yours.
Where to read the legal commitments
The contractual security commitments are listed in section 1.12 of our Privacy Policy. Sub-processors are listed at /sub-processors.