Sign in Book a demo
Trust & security

What we hold, what we're working on, and who else touches your data.

This page is what we'd send to a procurement team on day one. No "compliance theatre", no certifications we haven't earned, no sub-processors we don't disclose.

Security posture

The shape of the surface.

Encryption in transit

TLS 1.3 on every public endpoint. HSTS enabled. HTTP/2 + WebSocket for the realtime hub.

Encryption at rest

Azure storage service encryption (AES-256) on SQL and Blob. Customer-managed keys available on Business + Enterprise.

End-to-end

Private direct messages are end-to-end encrypted by default. Group calls run on LiveKit SFU; voice and video are E2EE-capable on the roadmap.

Identity

ASP.NET Core Identity with PBKDF2 + per-user salt. JWT access tokens with a stable signing key on production; refresh-token rotation.

SSO & provisioning

Business + Enterprise: Entra ID, Okta, Google Workspace via OIDC. SCIM 2.0 provisioning. Per-tenant claim mapping.

Audit

Login, message, call and admin actions logged. Business + Enterprise: JSON export to customer-controlled storage. Retention configurable.

Certifications

Honest status, not a roadmap with no dates.

We don't list certifications we don't currently hold as "held". We do list the ones we're actively working towards, with our honest estimate of where we are. Ask us for the audit evidence at any point.

Certification Status Notes
Cyber Essentials Plus In progress Initial scoping in flight; expected certified within 6 months.
ISO/IEC 27001:2022 In progress Statement of Applicability drafted; controls being implemented through 2026.
SOC 2 Type II In progress Targeted at first observation period in 2026 H2. SOC 2 Type I beforehand.
UK GDPR / DPA 2018 Compliant DPA signed at Business / Enterprise tier. UK ICO registration in name of Mia Bazo Ltd.
Sub-processors

Everything that touches your data.

Listed in order of how close they get to message content. We notify customers on Business + Enterprise tiers before adding new sub-processors.

Sub-processor Purpose Data category Region
Microsoft Azure Compute, SQL, Blob storage All customer data UK South / EU West
LiveKit Realtime voice & video SFU Call media (no message text) EU
Twilio SendGrid Transactional email Email address, confirmation links EU
Apple APNs iOS push notifications Push tokens, call wake-up payload Global Apple infrastructure
Firebase Cloud Messaging Android push notifications Push tokens, call wake-up payload Global Google infrastructure
Reporting issues

Vulnerability disclosure.

We treat security reports as a priority and we don't litigate good-faith research. Email security@miabazo.com with a description, proof-of-concept and any reproduction steps. We'll acknowledge within one working day.

Please don't access data that isn't yours, don't degrade service for other customers, and give us reasonable time to fix before public disclosure.

Need our audit pack?

We share our current SoA, pen-test summary and DPA template under NDA on request. Email trust@miabazo.com or click below.

Request audit pack