Skip to Content
v0.8.0 · shippedNative iOS / Android / Flutter / Capacitor SDKs, A2A discovery, SOC 2 readiness, residency, BYO storage, BYOK. Read the changelog →
Security & complianceOverview

Security overview

Mushi handles raw bug reports — screenshots, console logs, source code hints, sometimes user PII. The security model is layered and documented:

  • Bring-your-own-key — keep model keys in your own Anthropic / OpenAI account. We never see them in plaintext.
  • Data residency — pick US, EU, or JP at project creation; the SDK auto-routes via DNS.
  • BYO storage — pin screenshots into your own S3 / R2 / GCS / MinIO bucket.
  • SOC 2 readiness — retention, DSAR, evidence snapshots, audit log all built in.
  • Prompt-injection defence — the vision-safe multimodal sanitizer + the regression suite that keeps it honest.

Every Edge Function uses the (SELECT auth.uid()) subquery form in RLS, indexes every policy column, and verifies coverage nightly via mushi_rls_coverage_snapshot().

Last updated on
Langfuse + SentryBring-your-own-key