Mowt
FeaturesIntegrationsPricingMobileAbout
Start free trial

Security

Last updated: May 1, 2026

Security isn't just a feature—it's foundational to everything we build. Here's how we protect your data.

Infrastructure

Hosting:

  • AWS (eu-west-2 London region) with multi-AZ redundancy
  • All servers run in private subnets (no public internet access)
  • Load balancers handle SSL termination
  • Auto-scaling based on traffic

Network security:

  • VPC isolation with strict firewall rules
  • Only HTTPS connections allowed (TLS 1.3)
  • DDoS protection via AWS Shield
  • Rate limiting on all API endpoints

Data Encryption

In transit:

  • TLS 1.3 for all connections
  • HSTS enforced (browsers won't allow HTTP)
  • Certificate pinning in mobile apps

At rest:

  • AES-256 encryption for all databases
  • Encrypted backups stored in separate AWS region
  • Encryption keys rotated every 90 days
  • AWS KMS manages all encryption keys

Stripe data:

  • We never store credit card numbers (Stripe handles that)
  • Stripe tokens are encrypted separately
  • Read-only API access (we can't create charges)

Access Controls

Authentication:

  • Bcrypt password hashing (cost factor: 12)
  • 2FA required for all team accounts
  • Session tokens expire after 7 days of inactivity
  • OAuth 2.0 for Stripe connections

Team permissions:

  • Role-based access control (Admin, Member, Viewer)
  • Audit logs track who accessed what and when
  • Admins can revoke access instantly

Employee access:

  • Mowt staff cannot access your data without permission
  • Support requests require explicit consent
  • All access is logged and reviewed monthly
  • Engineers use separate staging environments

Application Security

Code practices:

  • Input validation on all forms and API requests
  • Parameterized SQL queries (no SQL injection)
  • CSRF tokens on all state-changing requests
  • Content Security Policy headers prevent XSS

Dependencies:

  • Automated vulnerability scanning (Snyk)
  • Dependencies updated weekly
  • Critical patches deployed within 24 hours
  • We don't use abandoned packages

Testing:

  • Annual penetration tests by third-party firms
  • Bug bounty program for security researchers
  • Automated security tests in CI/CD pipeline

Monitoring & Response

24/7 monitoring:

  • Real-time alerting for anomalous activity
  • Failed login attempts trigger rate limits
  • Unusual API usage gets flagged automatically
  • Uptime monitoring from 5 global locations

Incident response:

  • Security team on-call 24/7
  • Incident response plan tested quarterly
  • We'll notify you within 72 hours of any breach
  • Post-mortems published for major incidents

Data Backups

Backup strategy:

  • Continuous database replication to separate region
  • Daily encrypted snapshots (retained for 30 days)
  • Weekly full backups (retained for 1 year)
  • Restore testing performed monthly

Disaster recovery:

  • RTO (Recovery Time Objective): 4 hours
  • RPO (Recovery Point Objective): 15 minutes
  • Failover to backup region is automated

Compliance

Standards:

  • SOC 2 Type II audit completed, with continuous annual re-certification
  • GDPR compliant (full UK GDPR adherence)
  • UK Data Protection Act 2018 compliant
  • PCI DSS Level 1 via Stripe (we don't handle cards)

Data residency:

  • All data stored in AWS eu-west-2 (London) by default
  • Data processing agreements available on request
  • UK and EU data sovereignty maintained

Vulnerability Disclosure

Found a security issue? We want to know.

Report vulnerabilities to: security [at] mowt.com

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Your contact information (for follow-up)

We commit to:

  • Acknowledge your report within 24 hours
  • Provide a fix timeline within 7 days
  • Credit you in our security hall of fame (if you want)
  • Not pursue legal action for good-faith research

Bug bounty:

  • Critical issues: $500-$2,000
  • High severity: $100-$500
  • Medium severity: $50-$100

Third-Party Services

We only work with security-conscious vendors:

Stripe: Payment processing & data source

AWS: Infrastructure & hosting

MailerLite: Transactional emails

Sentry: Error tracking (sanitized logs only)

All vendors sign data processing agreements and undergo security reviews.

Employee Security

Background checks:

  • All employees undergo background checks
  • Security training required before data access
  • Annual security refresher courses

Device security:

  • Company laptops with full-disk encryption
  • MDM (Mobile Device Management) on all devices
  • Automatic screen locks after 5 minutes
  • Lost devices can be remotely wiped

Offboarding:

  • Access revoked immediately upon termination
  • All accounts and tokens invalidated
  • Company devices collected

Your Responsibilities

We handle security on our end, but you play a role too:

  • Use strong passwords: 12+ characters, unique to Mowt
  • Enable 2FA: Protects against password leaks
  • Review team access: Remove former employees promptly
  • Monitor audit logs: Check for suspicious activity
  • Report issues: Email security [at] mowt.com if something looks off

Questions

Security questions? Email security [at] mowt.com

Want a deeper dive? Request our security whitepaper at security [at] mowt.com

Security is a team effort. We'll keep your data safe—you keep your account secure.