05
Trust & Security

Software a city can buy on Tuesday.

A focused, defensible security posture written for procurement teams — not a marketing page. If your IT or counsel needs more detail on any item below, email mike@mkn.us and we will respond same business day.

§ 1
At a glance

The five-second answer.

Drop the table below into your RFP. Each row links to the detail.

Question
AnimalShelterIQ
Encryption in transit
TLS 1.2+ on every endpoint. HSTS enforced.
Encryption at rest
AES-256 on the database and object storage layers.
Access control
Role-based (Resident, Officer, Vet, Counselor, Foster, Admin). Per-endpoint role gates.
Audit logs
Every mutation logged: who, what, when, IP. Retained indefinitely for the life of the contract.
Tenant isolation
Org isolation at the query layer. No shared records between organizations — ever.
Backups
Daily encrypted backups, multi-region. Tested restores monthly.
Public endpoint protection
reCAPTCHA v3 + IP rate limiting on every unauthenticated form.
Data ownership
You own your data. Full export on demand. Deletion within 30 days of termination.
Legal
Privacy · Terms · DPA
§ 2
The detail

Eight controls. One posture.

What the platform does, in language an IT director or county counsel can read straight into a procurement record.

i.Encryption

In transit & at rest.

All traffic is TLS 1.2+ — we enforce HTTPS at the edge and HSTS on every response. The database and object storage layers are encrypted with AES-256 by the hosting provider. Per-organization API keys (e.g. payment processors, AI providers) are encrypted at the application layer with envelope encryption before they hit the database.

ii.Access Control

Role-based, by endpoint.

Every authenticated endpoint declares the role(s) allowed to call it. Roles are first-class — Resident, Field Officer, Veterinarian, Adoption Counselor, Foster, Volunteer, Admin/Director — and the role gate runs before the controller does. Login uses email + password with optional time-based one-time codes (TOTP); SSO via Google/Microsoft on request.

iii.Audit Logs

Every mutation, forever.

Every write — create, update, delete, status change — produces an audit record with the actor, the resource, the before/after state, the timestamp, and the source IP. Logs are tenant-scoped, queryable from the admin UI, and retained for the life of the contract. Read endpoints are logged at the access-pattern level (no PII).

iv.Tenant Isolation

Isolation at the query layer.

Every database query is scoped to the calling user's organization through a centralized query trait. There is no global admin view that can see across tenants. New endpoints fail closed — if a developer forgets the scope, the query returns nothing rather than leaking data. We test this with a static analyzer on every deploy.

v.Backups & DR

Daily, encrypted, restorable.

Encrypted snapshots run nightly with point-in-time recovery for the most recent seven days. Backups are stored in a second region. We test restores on a monthly cadence — the only restore that counts is one that has been proven to work. Target RTO: 4 hours. Target RPO: 24 hours.

vi.Public Surfaces

Hardened public endpoints.

The citizen portal, lost-pet upload, license renewal, and complaint submission run reCAPTCHA v3 plus IP-based rate limiting on every request. All user input is HTML-sanitized before storage. File uploads are content-type validated, malware-scanned, and stored on a separate origin from the application.

vii.AI Usage

Read-only, rate-limited, tenant-scoped.

The AI assistant is read-only — it can analyze your data but cannot mutate it. Every call is scoped to the calling user's organization and counted against a per-user rate limit (100 calls/hour by default). Organizations may bring their own AI provider key, which is encrypted at rest. No customer data is used to train any model.

viii.Vulnerability Handling

Coordinated disclosure.

Report security issues to security@mkn.us. We acknowledge within one business day, triage within five, and patch critical issues out-of-band. We do not pursue researchers acting in good faith. We will credit you publicly if you'd like.

§ 3
Subprocessors

Who else touches the data.

The complete list. We notify customers 30 days before adding or replacing a subprocessor.

Hosting — primary infrastructure provider (US regions)
Database — managed document database (US regions)
Object storage — photos, documents, voice clips
Frontier AI providers — assistant, vision, drafting
Twilio — SMS & voice for license outreach
Stripe — payment processing for license fees
Google Maps — geocoding & mapping tiles
Email transactional — notices & daily digests

Specific vendor names are listed in the Data Processing Addendum on request. See the DPA →

public

Data residency

All data is stored in US regions by default. We can provide region-pinned deployments on request for state and county customers with explicit residency requirements.

delete_forever

Data export & deletion

You own your data. Full CSV / JSON export on demand at any time. On contract termination, we delete production data within 30 days and backups within 90, then provide a written attestation.

§ 4
Legal

The paperwork.

Standard, plain-language documents. We will redline a DPA or MSA on request.

policy

Privacy Policy

What we collect, why, who we share with, and how to ask us to delete it.

Read policy arrow_forward

gavel

Terms of Service

Acceptable use, uptime commitments, and how the contract is governed.

Read terms arrow_forward

verified_user

Data Processing Addendum

The processor / sub-processor agreement procurement counsel will ask for.

Read DPA arrow_forward

Security questions go straight to the founder.

No support queue. No tier-2 escalation. Email and you'll hear back same business day.

security@mkn.us arrow_forward