Security

Last updated: 7 June 2026

At Magnor Vessels, security is central to how we build and operate our superyacht regulatory compliance platform. We handle sensitive vessel records and crew personal data — including certificates, rest-hour logs, and supporting documents — and we take that responsibility seriously. This page explains the measures we have in place today, and we are honest about where we are on our journey as an early-stage company.

Our approach to security

We follow a security-first mindset and design our systems with defence-in-depth — multiple, overlapping layers of protection so that no single control is a single point of failure. Security considerations are part of how we design features, write code, and choose the infrastructure we run on.

We are an early-stage company, and we believe in being straightforward about what that means. Rather than overstate our maturity, we describe the controls we genuinely operate today and clearly mark the areas we are still formalising. Where a measure is planned but not yet in place, we say so.

Data encryption

In transit: All traffic between your browser or devices and our platform is encrypted using HTTPS/TLS. This protects your data as it moves across the internet.

At rest: Data stored by the platform is encrypted at rest through our infrastructure providers [• confirm specifics]. We rely on reputable hosting and database providers for this layer; see the sub-processors section below.

Authentication & access control

Authentication is handled by Clerk, a dedicated identity provider, rather than rolling our own credential storage. This brings well-tested authentication infrastructure to every account.

• Multi-factor authentication (MFA) is available to add a second layer of protection beyond passwords.
• Single sign-on (SSO) and SAML are supported for Enterprise customers who want to manage access through their own identity provider.
• Role-based access control (RBAC) governs what each user can see and do. Roles such as Captain, DPA, Fleet Manager, and crew receive only the permissions appropriate to their function.
• We apply the principle of least privilege, granting the minimum access necessary, and permissions are tenant-scoped so they apply only within the relevant customer account.

Tenant isolation & data segregation

Magnor Vessels is a multi-tenant platform, and each customer's data is logically isolated from every other customer's. Access checks are enforced on every request, scoped to the authenticated user's tenant, so one customer cannot access another customer's vessel or crew records.

Application & platform security

We build and operate the application with a range of safeguards designed to reduce the risk of abuse and common vulnerabilities:

• API rate limiting to protect against excessive or abusive requests.
• Failed-login throttling to make brute-force attempts impractical.
• Secure, single-use invitation tokens that expire, so account invitations cannot be reused or shared indefinitely.
• Server-side input validation on data submitted to the platform.
• Routine dependency and vulnerability patching to keep our software current.
• Development follows OWASP-aware practices, drawing on widely recognised guidance for secure web applications.

Audit logging & monitoring

Key actions within the platform are recorded in an audit trail, providing a record of important activity for accountability and review. We also use Sentry for application error monitoring, which helps us detect, diagnose, and resolve issues promptly. Formal monitoring and alerting thresholds are still being defined [• to be confirmed].

Payments security

Payments are processed by Stripe, a PCI-DSS compliant payment provider. We do not store full card numbers on our systems — sensitive payment details are handled directly by Stripe.

Infrastructure & sub-processors

Our platform is hosted on reputable, established providers. We use a number of third-party sub-processors to deliver the service, including Neon, Railway, Netlify, Cloudflare R2, Clerk, Stripe, Resend, Anthropic, and Sentry. For the current list and the role each plays, see our sub-processors page. Data-centre regions are [• to be confirmed].

Backups & availability

We rely on managed infrastructure providers that offer resilient, redundant hosting for our application and data. The specifics of our backup and availability arrangements are being formalised:

• Backup frequency and retention: [• to be confirmed]
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO): [• to be confirmed]

Incident response

We take security incidents seriously and aim to respond promptly to contain, investigate, and remediate any issue. Our formal incident-response process and associated timelines are being documented [• to be confirmed].

In the event of a personal data breach affecting your information, we will notify affected customers in line with our obligations under the GDPR, including, where required, notification without undue delay. For data-protection matters, contact privacy@magnorvessels.com.

Responsible disclosure

We welcome reports from security researchers and the wider community. If you believe you have found a vulnerability in our platform, please email security@magnorvessels.com with the details and steps to reproduce.

We commit to handling good-faith reports in good faith: we will acknowledge your report, investigate, and work to resolve confirmed issues. We ask that you give us a reasonable opportunity to address a problem before disclosing it publicly, and that you avoid accessing or modifying other users' data during your research. We do not currently operate a paid bug-bounty programme.

Your responsibilities

Security is a shared effort, and how you use the platform matters. We ask that you:

• Use strong, unique passwords and enable multi-factor authentication on your account.
• Manage user access within your organisation — grant appropriate roles, and remove access promptly when someone no longer needs it.
• Protect your credentials and never share login details; treat invitations and access tokens as confidential.
• Notify us promptly if you suspect any unauthorised access to your account.

Compliance & certifications

As an early-stage company, we do not currently hold formal certifications such as SOC 2 or ISO 27001, and we have not undergone independent penetration-test attestations. We would rather be transparent about this than imply assurances we cannot yet back up.

We design our practices with established security frameworks in mind, and we are working toward formalising our security programme as we grow [• planned / to be confirmed]. Where our handling of personal data is concerned, we aim to align with the GDPR; the status of any formal audits or certifications is [• to be confirmed].

Contact

For security concerns or to report a vulnerability, contact security@magnorvessels.com. For privacy and data-protection enquiries, contact privacy@magnorvessels.com.