Home / Blog / Trust & Security

Trust & Security: How MIR Protects Accounts and Data

December 23, 2025

MIR is designed to be a trustworthy reputation layer for the internet. That starts with how we protect your account and data. This page explains our security architecture for users, partners, and auditors.

No system can guarantee absolute security, but MIR is designed to reduce risk through layered, industry-standard protections.

Reputation signals are derived from clear, documented rules and human-designed criteria — not opaque automation. You retain visibility and control over how your reputation data is used, with an audit log of every partner query.

Governance & Decision Making

MIR is built on principles of transparency and human oversight. Your reputation is not determined by hidden algorithms or opaque scoring models.

Principles of Decision Making

How reputation is evaluated:

  • Transparent criteria — Reputation events and outcomes are governed by documented rules, not black-box models
  • Human-designed policies — Reputation outcomes are governed by documented, human-authored policies maintained by MIR, reviewed internally, and applied through explicit rules rather than automated inference
  • Auditable logic — The reasoning behind reputation tiers can be explained and reviewed in documented form
  • No profiling — MIR does not infer personal characteristics, behaviors, or traits beyond explicit, partner-reported events

External systems cannot alter your reputation without explicit linkage and audited purpose — ensuring fairness and accountability.

For a detailed explanation of how reputation events translate into outcomes, see our What to Expect page.

Authentication & Account Protection

MIR uses a multi-step, passwordless authentication flow that requires email ownership, device continuity, short-lived links, explicit user confirmation, and strict rate limiting. This layered design provides strong protection against automated abuse and accidental logins without relying on CAPTCHA challenges.

How Passwordless Login Works

When you sign in to MIR, we send a magic link to your email. This approach:

  • Eliminates password-related vulnerabilities (no passwords to leak, phish, or reuse)
  • Proves email ownership at every login
  • Works across all devices without remembering credentials

Defense Layers

Each login attempt passes through multiple security checks:

Email Ownership — Only the person with inbox access can receive the link

Short-Lived Links — Magic links expire in 10 minutes and can only be used once

Rate Limiting — Login requests are throttled per email and IP address to prevent abuse

Confirmation Step — After clicking the link, you must explicitly confirm the login

Device Context — We display approximate location and device information so you can verify the request is legitimate

Why No CAPTCHA?

CAPTCHAs create friction for legitimate users while sophisticated attackers can often bypass them. Our layered approach provides equivalent protection through:

  • Rate limiting that makes brute-force attacks impractical
  • Email verification that stops bots without inbox access
  • Confirmation steps that prevent accidental or automated logins

These measures do not eliminate all abuse, but significantly reduce automated and accidental misuse without harming legitimate users.

Session Security

After login, your session is protected by:

  • Secure, HTTP-only cookies — Cannot be accessed by JavaScript or cross-site requests
  • Session expiration — Sessions expire after a period of inactivity
  • Session control — You can view, revoke, or end all sessions from your account

Partner API Security

Partners who integrate with MIR's API are held to strict security standards:

API Key Management

  • API keys are generated once and never stored in plain text
  • Keys are delivered through a one-time claim link that expires in 72 hours
  • Partners can rotate keys at any time through the dashboard
  • All API requests require HTTPS

Rate Limiting

  • All API endpoints are rate-limited to prevent abuse
  • Partners have configurable rate limits based on their tier
  • Automatic throttling protects against accidental overuse

Partner Attestations

Before receiving API access, partners must attest to:

  • Only submitting events for users who have linked their account
  • Using MIR data to inform decisions, not as sole basis for denial
  • Deleting cached data within 24 hours in accordance with their agreement
  • Maintaining data security standards
  • Cooperating with user rights requests

Partner Constraints

Partners are explicitly prohibited from:

  • Automated profiling as sole basis — Partners cannot use external automated systems or opaque profiling tools as the sole basis for decisions affecting you
  • Unilateral reputation changes — Partners cannot alter your MIR reputation without your explicit account linkage and consent
  • Data combination without disclosure — Partners must disclose if they combine MIR data with other sources

These constraints ensure that MIR serves as a trust signal, not a gatekeeping mechanism controlled by any single party.

Audit & Transparency

You retain visibility and control over how your reputation data is used, with an audit log of every partner query.

Your Visibility

All reputation access by partners is logged and visible to you in your account dashboard. You can see:

  • Which partners queried your reputation
  • When the query occurred
  • The stated purpose of the query
  • What tier or signal was returned

This transparency ensures you always know who is using your reputation data and why.

Your Control

You maintain control over your reputation through:

  • Selective linking — You choose which partners can contribute to your reputation
  • Unlinking — You can disconnect partners at any time
  • Data requests — You can request a full export of your reputation data
  • Deletion — You can request deletion of your account and associated data

Security Audit Log

We maintain comprehensive internal logs of:

  • Authentication events
  • Account linking activities
  • Partner API usage
  • Administrative actions

These logs support accountability and enable investigation of any concerns about data misuse.

Data Protection

Encryption

  • In transit: All connections use TLS 1.2 or higher
  • At rest: Sensitive data is encrypted in our database
  • API keys: Stored as SHA-256 hashes, never in plain text

Minimal Data Collection

We collect only what's necessary:

  • Your email address for authentication
  • Linked account identifiers (not passwords or credentials)
  • Reputation events submitted by partners

Incident Response

In the event of a security incident:

  • Partners must report incidents involving MIR data without undue delay and no later than 48 hours after discovery
  • We will notify affected users promptly. Notification timelines are aligned with applicable legal and contractual requirements.
  • We maintain incident response procedures and conduct post-mortems

Contact

To report a security concern or ask questions about our security practices:

security@myinternetreputation.org