Not a list of aspirations — a list of measures this platform actually ships, plus how to tell us when we got one wrong.
[ 01 ]What we ship
Each of these is verifiable against this site's actual behavior — inspect the response headers, probe the forms.
Security headers on every response
Every route ships X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a strict Referrer-Policy, a locked-down Permissions-Policy, and HSTS with preload. These are set globally in the framework config, not per page, so a new route cannot forget them.
Rate limiting on every public form
Contact, subscribe, partner applications, and the ask desk are all rate-limited per IP — five submissions per minute. Exceeding the window returns a 429, not a silent drop, so legitimate users know what happened.
Honeypot fields against bots
Each public form carries a hidden field humans never see. Bots that fill it receive a fabricated success response and their submission is discarded. No CAPTCHA, no friction for people.
Capability tokens, not sessions
Support threads are accessed with a per-thread capability token, not an account session. The token grants exactly one thread. If it leaks, the exposure is that thread — never your identity, never anyone else's data.
Admin key separation
Operator endpoints verify a dedicated x-admin-key header, checked server-side on every request. The admin key is never embedded in client code, never shares a namespace with visitor tokens, and a visitor token can never escalate into operator access.
Strict input validation
Every API route validates type, presence, and length bounds on every field before anything else runs, and returns structured field errors. Malformed JSON is rejected with a 400 — requests never reach business logic unparsed.
[ 02 ]Compliance posture
We maintain SOC 2 Type II attestation covering security, availability, and confidentiality. The audit examines how our controls operate over time — not a snapshot, a record. Enterprise customers can request the current report under NDA via security@myndlabs.ai. What we don't claim: certifications we haven't earned. There is no ISO 27001 badge here yet, because the audit isn't done yet.
[ 03 ]Responsible disclosure
Email security@myndlabs.ai with reproduction steps. We acknowledge within 48 hours, keep you informed through remediation, and credit you if you want credit.
[ in scope ]
- myndlabs.ai and all routes under it
- Public API endpoints under /api/*
- Authentication, token, and rate-limit logic
[ out of scope ]
- Denial-of-service and volumetric attacks
- Social engineering of Mynd Labs staff
- Third-party services we link to but do not operate
- Automated scanner reports with no demonstrated impact
[ rules ]
- Do not access, modify, or delete data that is not yours.
- Do not degrade the service for other users while testing.
- Give us 90 days to remediate before any public disclosure.
- One issue per report, with steps to reproduce.
If you make a good-faith effort to follow this policy, we consider your research authorized. We will not initiate legal action against you, and if a third party does, we will make it known that your activities were conducted in compliance with this policy. Good faith means staying in scope, respecting the rules above, and reporting promptly.
Machine-readable policy: /.well-known/security.txt
[ 04 ][ go deeper ]