Trust Center
How Muzings protects your data. Each control below is marked Live, In progress, or Planned — we publish the honest state, not the aspirational one.
Last updated: 2026-06-08
Mapping is not certification. Where we say a framework is “mapped” or “aligned,” we mean our controls correspond to it — not that an external auditor has certified us. See the framework table at the bottom.
Security
- Transport security (TLS + HSTS)Live
HTTPS everywhere via Let’s Encrypt; HSTS (max-age 1 year, includeSubDomains) enforced at the proxy on every response. Run the live SSL Labs scan below any time to confirm.
Maps to: SOC 2 CC6 · ISO 27001 A.8
- Browser hardening headersLive
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy set at the proxy on every response — including 4xx/5xx error pages.
Maps to: SOC 2 CC6
- Content-Security-PolicyLive
Per-request nonce CSP enforced in production on Content-Security-Policy (not Report-Only); genuine violations still stream to /csp-report. Confirm with the live header scans below.
- Managed identity providerLive
Authentication delegated to AWS Cognito; we never store password hashes ourselves.
Maps to: SOC 2 CC6 · ISO 27001 A.5.16
- Tenant isolationIn progress
Postgres row-level security keyed on organization id, enforced in every data query.
Maps to: SOC 2 CC6 · ISO 27001 A.8.3
- Encryption at restLive
All data is encrypted at rest. Upload buckets (content + audio) use S3 server-side encryption (SSE-S3, AES-256) alongside blocked public access and versioning; the database (RDS) is encrypted with AWS-managed keys. A dedicated customer-managed KMS key (CMK) for the upload buckets is planned. Verifiable via the bucket-encryption checks in our runbook.
Maps to: SOC 2 CC6 · ISO 27001 A.8.24
- Upload validationLive
One server-side validator on every upload route: magic-byte sniffing, active-content scans, filename sanitisation.
- Centralised secret managementLive
All secrets load from AWS Secrets Manager via a single loader; none in source or env files.
Maps to: SOC 2 CC6 · ISO 27001 A.8.24
- Append-only audit trailPlanned
Every privileged action writes an immutable audit row; retained 7 years.
Maps to: SOC 2 CC7 · ISO 27001 A.8.15
Privacy
- GDPR / CCPA-aligned privacy policyIn progress
Published data categories, legal bases, retention windows, and data-subject rights.
Maps to: GDPR · CCPA
- Subprocessor transparencyIn progress
Public list of every third party that processes user data, with purpose and region.
Maps to: GDPR Art. 28
Verify it yourself
We link live third-party scans rather than logos — logos can be faked, live scans cannot. Each link below runs a fresh scan of app.muzings.ai, so it always reflects our current posture. Transport security, the hardening headers, and our per-request nonce Content-Security-Policy are all live and enforced (see the badges above) — we publish the live result rather than a screenshot of a better day.
- SSL Labs — TLS configuration & certificate
- Mozilla HTTP Observatory — Response security headers
- SecurityHeaders.com — Response security headers
Framework mapping
| Framework | Status |
|---|---|
| SOC 2 Type II | Not certified. Controls mapped; no audit report issued yet. |
| ISO/IEC 27001 | Not certified. Controls mapped. |
| GDPR / UK GDPR / CCPA | Aligned. Evidenced by this Privacy Policy and the subprocessor list. |
Related
Privacy Policy · Subprocessors
Security questions or vulnerability reports: hello@muzings.ai.