Trust & Security
Last updated: December 18, 2025
MIR is designed to be a trustworthy reputation layer for the internet. That starts with how we protect your account and data. This page explains our security architecture for users, partners, and auditors.
Authentication & Account Protection
MIR uses a multi-step, passwordless authentication flow that requires email ownership, device continuity, short-lived links, explicit user confirmation, and strict rate limiting. This layered design provides strong protection against automated abuse and accidental logins without relying on CAPTCHA challenges.
How Passwordless Login Works
When you sign in to MIR, we send a magic link to your email. This approach:
- Eliminates password-related vulnerabilities (no passwords to leak, phish, or reuse)
- Proves email ownership at every login
- Works across all devices without remembering credentials
Defense Layers
Each login attempt passes through multiple security checks:
Email Ownership — Only the person with inbox access can receive the link
Short-Lived Links — Magic links expire in 10 minutes and can only be used once
Rate Limiting — Login requests are throttled per email and IP address to prevent abuse
Confirmation Step — After clicking the link, you must explicitly confirm the login
Device Context — We display browser and location info so you can verify the request is legitimate
Why No CAPTCHA?
CAPTCHAs create friction for legitimate users while sophisticated attackers can often bypass them. Our layered approach provides equivalent protection through:
- Rate limiting that makes brute-force attacks impractical
- Email verification that stops bots without inbox access
- Confirmation steps that prevent accidental or automated logins
Session Security
After login, your session is protected by:
- Secure, HTTP-only cookies — Cannot be accessed by JavaScript or cross-site requests
- Session expiration — Sessions expire after a period of inactivity
- Single sign-out — You can end your session from any device
Partner API Security
Partners who integrate with MIR's API are held to strict security standards:
API Key Management
- API keys are generated once and never stored in plain text
- Keys are delivered through a one-time claim link that expires in 72 hours
- Partners can rotate keys at any time through the dashboard
- All API requests require HTTPS
Rate Limiting
- All API endpoints are rate-limited to prevent abuse
- Partners have configurable rate limits based on their tier
- Automatic throttling protects against accidental overuse
Partner Attestations
Before receiving API access, partners must attest to:
- Only submitting events for users who have linked their account
- Using MIR data to inform decisions, not as sole basis for denial
- Deleting cached data within 24 hours
- Maintaining data security standards
- Cooperating with user rights requests
Audit & Transparency
Access Logging
All reputation access by partners is logged and visible to you in your account dashboard. You can see:
- Which partners queried your reputation
- When the query occurred
- The stated purpose of the query
Security Audit Log
We maintain comprehensive internal logs of:
- Authentication events
- Account linking activities
- Partner API usage
- Administrative actions
Data Protection
Encryption
- In transit: All connections use TLS 1.2 or higher
- At rest: Sensitive data is encrypted in our database
- API keys: Stored as SHA-256 hashes, never in plain text
Minimal Data Collection
We collect only what's necessary:
- Your email address for authentication
- Linked account identifiers (not passwords or credentials)
- Reputation events submitted by partners
Incident Response
In the event of a security incident:
- Partners must report incidents involving MIR data within 48 hours
- We will notify affected users promptly
- We maintain incident response procedures and conduct post-mortems
Contact
To report a security concern or ask questions about our security practices: