Security & data

Mephit runs on infrastructure we operate ourselves — application servers, primary database, and backups all sit on hardware we control. There is no public-cloud database provider in the path.

What we store, in plain English:

• Account row — email, hashed password (or OAuth identifier), display name, creation date.
• Conversations — every prompt, response, and tool call you make, scoped to your account so you can resume them.
• Project metadata — assets, tech-stack tags, goals, notes.
• Server registry — host, username, encrypted private key, last-test result.
• Command audit log — every run against a registered server, capped output.
• Billing rows — tier, period, invoice ids, crypto-payment metadata. No card numbers or wallet credentials ever touch us.

◈SSH private keys

AES-256-GCM with a fresh 12-byte IV per ciphertext and the standard 16-byte auth tag. The master key lives in SSH_KEY_ENCRYPTION_KEY(server env, 32 random bytes). The encrypted column is never returned to the client — only the platform’s SSH executor decrypts it, in memory, immediately before opening a connection.

◈Passwords

Hashed with a bcrypt-class algorithm. We never see your plaintext password.

◈In transit

TLS 1.3 across the public surface. Internal service hops run over our private network with mTLS where supported.

◈Webhooks

All inbound webhooks (billing, payments, monitor sources) are HMAC-signed and verified before being processed.

◈LLM inference

To answer your prompts we forward your messages and tool outputs to a third-party inference provider. They process the data under a Data Processing Agreement that prohibits training on API content. We don’t advertise the specific provider on marketing surfaces — the name is available on request for enterprise / compliance reviews.

◈OSINT and security data providers

When you run recon or threat-intel commands, the platform queries a curated set of third-party providers (passive DNS, certificate transparency, IP and URL reputation, malware sandboxes, breach indices, vulnerability advisories). Those requests carry only the indicator you submitted — a domain, IP, hash, email, CVE id. We do not pass your account email, identity, billing data, or chat history to any of them.

• The model never executes commands on your boxes. It proposes; you click Run.
• One-shot SSH connections per command. No persistent shells, no port-forwards, no agents on your machines.
• Hard limits: 10 s connect, 60 s exec (cap 300 s), 512 KB output per stream, 30 commands / minute / user.
• Destructive-pattern blocklist refuses common foot-guns unless explicitly confirmed. See the servers doc for the full list.
• Append-only audit log per run, scoped to your account.

• Account — until you delete it.
• Conversations — until you delete them, or after 24 months of inactivity.
• Tool-usage audit logs — 90 days.
• Command-run audit — 12 months on the row, output truncated to 16 KB after 30 days.
• Webhook event logs — 30 days.
• Billing records — 7 years (legal / tax obligation).

Deleting a conversation removes it from the active database within 24 hours and from backups within 30 days.

Standard GDPR / CCPA-equivalent rights apply: access, correction, deletion, export, objection, restriction, and the right to lodge a complaint with your data-protection authority. To exercise any of them, email [email protected]. We respond within 30 days. The full statement lives in the Privacy Policy.

If you find a security issue in Mephit itself, write to [email protected] with reproduction steps and impact. We acknowledge within one business day. We don’t run a paid bounty yet but credit reporters publicly with consent.