Security

How we protect your data and keep Mocksy secure.

Our Approach to Security

Security is important to us. While Mocksy is designed for mock test data (not real customer information), we still take protecting your account and generated data seriously.

Transparency: Mocksy is an early-stage product. We're continuously improving our security practices. This page explains what we do today and what we're working towards.

Data Protection

Encryption

  • In transit: All data is encrypted using HTTPS (TLS 1.2+)
  • At rest: Data is stored on encrypted volumes provided by our hosting platform
  • Passwords: User passwords are hashed using industry-standard algorithms

Access Controls

  • Authentication required for all product features
  • Role-based permissions (Admin and Member roles)
  • API key authentication for programmatic access
  • Session management with automatic timeout

Data Isolation

  • Organisation-level data isolation enforced at the database level
  • Users can only access data within their organisations
  • API keys are scoped to specific organisations
  • Strong separation between organisation data

Infrastructure Security

Mocksy is hosted using trusted cloud infrastructure providers. Our infrastructure includes:

  • Secure, isolated compute environments
  • Automatic security updates for underlying infrastructure
  • DDoS protection
  • Regular automated backups

We use PostgreSQL for data storage with regular automated backups.

API Security

Our API uses several security measures:

  • API key authentication: Bearer token authentication for all API requests
  • Resource permissions: API keys can be configured with specific access permissions
  • Usage limits: Plan-based limits and abuse protection
  • Request monitoring: Tracking to prevent excessive use

You can create, rotate, and revoke API keys at any time through the web interface.

Your Responsibilities

Security is a shared responsibility. You should:

  • Use a strong, unique password for your account
  • Keep your API keys secure and never commit them to version control
  • Rotate API keys if you suspect they've been compromised
  • Only invite trusted team members to your organisation
  • Report security issues to us immediately
  • Never upload real personal data or production customer information

Monitoring and Logging

We log certain activities for security and operational purposes:

  • Login attempts and authentication events
  • API requests and usage patterns
  • Data exports and integration activity
  • Administrative actions

Logs are retained for a limited time and used only for security, debugging, and service improvement.

What We're Working Towards

As Mocksy grows, we're committed to improving our security posture. Future goals include:

  • Regular third-party security assessments
  • Formal penetration testing
  • Security certifications (ISO 27001, SOC 2)
  • Two-factor authentication (2FA)
  • Advanced audit logging

We'll update this page as we achieve these milestones.

What We Don't Claim

To be transparent about our current state:

  • We do not currently hold ISO 27001 or SOC 2 certifications
  • We have not undergone formal third-party penetration testing
  • We do not offer on-premises or private cloud deployments
  • We do not currently support SSO or SAML authentication

These are on our roadmap as we scale.

Incident Response

If we discover a security incident that affects your data:

  • We'll investigate and contain the issue immediately
  • We'll notify affected users via email as soon as reasonably possible
  • We'll provide details about what happened and what we're doing about it
  • We'll implement measures to prevent similar incidents

Reporting Security Issues

If you discover a security vulnerability or issue, please report it to us immediately at security@mocksyapp.com.

Please do not publicly disclose security issues until we've had a chance to investigate and address them.

Questions

If you have questions about our security practices, please contact us at security@mocksyapp.com.