Security

Security at Masteren Labs.

Masteren Labs operates infrastructure that other engineering teams depend on. Security and privacy are treated as design constraints, not features. The same small team that builds the software is responsible for keeping it safe to run.

This page describes how we approach security across the company. Each product also publishes its own product-specific security and privacy documentation on its own site.

Operating principles

How the work is structured.

These are the principles applied across every product. They are concrete, kept short, and meant to be testable rather than aspirational.

01

Encryption in transit

All public traffic to Masteren Labs systems is served over TLS. Inter-service and product-to-client traffic uses TLS by default. Stronger postures (such as mutual TLS) are available where the product warrants them.

02

Least privilege

Production access is restricted to the people who run the company. Credentials are scoped, rotated, and not shared across products.

03

Conservative defaults

Our software ships with the safer option enabled. Listening surfaces, allowlists, and authentication requirements are on by default rather than opt-in.

04

Data minimisation

We collect only the operational data required to run each product. No behavioural trackers, no advertising identifiers, no third-party analytics on our public website.

05

Independent product boundaries

Each product runs on its own infrastructure boundary with independent credentials and no shared customer database. A compromise in one cannot cascade, and cross-product profiling is structurally impossible.

06

Privacy by design

Privacy is part of how each product is designed, not bolted on later. We treat customer data the way we would want our own treated, and we say so plainly in the privacy policy.

Reporting a vulnerability

Responsible disclosure.

If you believe you have found a security issue in any Masteren Labs system, the company-wide security address routes the report to the right people directly.

Email [email protected] with a description of the issue, the affected product, and reproduction steps.

We acknowledge reports within two working days and provide a timeline for the fix once we understand the scope.

We work to a coordinated 90-day disclosure window. Critical issues are prioritised over any other in-flight work.

We do not currently run a paid bug-bounty programme. Reports are reviewed and resolved on technical merit; recognition is offered with the reporter's consent.

Data handling

What we store, and why.

Masteren Labs collects the minimum operational data required to run each product, and never trades it. Per-product detail, what is stored, where, and for how long, lives in the documentation on each product's own site, alongside the company-wide privacy policy.