Start free trial

Security

Security without trust theater.

We publish what we actually do, not what would look good on a brochure. If you need something we have not documented, ask us.

Mobieus 3D illustration of a glass cube with a lock inside on a pedestal, connected to database, file, key, and member icons by glowing lines.

Why this page exists

Owning your community means owning the security story too.

If your community is on a platform you rent, the security story is whatever the landlord says it is. You cannot audit it. You cannot question it. You inherit their breaches. On Mobieus you own the community, which means you also get to see — and ask about — how it is protected. Pair this page with data ownership for the full posture.

Architecture

How tenants are isolated.

Per-tenant database

Every tenant has a dedicated database. The request connects to that database before any controller runs. Cross-tenant queries are structurally impossible because there is no API to switch DBs mid-request.

API key isolation

Keys are stored as SHA-256 hashes in the tenant DB. Constant-time comparison on lookup. A key minted on tenant A cannot authenticate to tenant B even on the same control plane.

Sovereign means dedicated

Sovereign tenants run on a private dedicated VM with no shared tenancy. Network, storage, and compute are yours.

Controls

What runs in production.

WAF + ModSecurity

Web Application Firewall in front of every tenant. Daily digest of blocked requests posted to the admin system-log forum.

Encryption in transit + at rest

TLS 1.2+ on every public endpoint. Database storage encrypted at rest. HSTS preload.

Audit logging

Audit log on every admin action (create, update, delete, role change). Append-only. Sovereign tenants get the audit log on the dedicated server.

SSRF + DNS-rebind protection

Outbound webhooks rejected from loopback, RFC1918, link-local, IPv6 unique-local, and the cloud metadata endpoint. Re-checked at every delivery to defeat DNS rebinding.

Rate limits everywhere

Per-IP, per-key, per-account, per-endpoint. Limits exposed via X-RateLimit headers on API responses.

Daily backups

Tenant databases backed up daily, 30-day retention. Sovereign tenants can request snapshots on demand.

Disclosure

If you find something.

Email [email protected] with a description and reproduction steps. We acknowledge within one business day. We do not pursue legal action against good-faith research.

Start when you are ready

Try Mobieus free for 14 days.

No credit card. Bring your own Stripe. Cancel any time. Your data stays yours.

Start free trialBook a demoSee pricing