Security is built in,
not bolted on.
Mappi is built by engineers who came from teams that shipped hardened, large-scale security at top tech companies. We brought those same practices with us, so your account, content, and data are protected by default.
Security you can verify, not just trust.
We follow industry best practices across authentication, data, infrastructure, and engineering. Every layer of Mappi is designed to keep your data private and your account safe.
- TLS 1.2+Encryption in transit on every request
- AES-256Encryption at rest for stored data
- SOC 2Compliant infrastructure providers across the stack
Security practices integrated across the platform.
These are the concrete patterns and providers we use to keep Mappi secure. Every item below is in production today, not on a roadmap.
Authentication & access
Supabase Auth with secure session cookies
Sign-in is handled by Supabase Auth with HttpOnly, Secure, SameSite cookies. Sessions are validated and refreshed by middleware on every request, so stale or tampered sessions cannot reach protected routes.
OAuth 2.0 sign-in with Google
Social sign-in uses the OAuth 2.0 authorization code flow. We never see, store, or transmit your Google password — Google handles the credential exchange end to end.
Hashed password storage
Passwords are hashed with industry-standard one-way algorithms by Supabase Auth. Plaintext passwords are never written to disk, never logged, and never sent over the wire after sign-in.
Protected routes via server-side middleware
Auth-gated pages are guarded by Next.js middleware that re-validates the session server-side. Authorization decisions never depend on client-side state alone.
Data protection
Encryption in transit (TLS 1.2+)
All traffic between your browser, our edge, and our backend is encrypted with TLS 1.2 or higher. HTTPS is enforced everywhere — there is no plaintext path into Mappi.
Encryption at rest (AES-256)
Account data and content stored in Supabase and our object storage are encrypted at rest with AES-256, using keys managed by our infrastructure providers.
Row-Level Security in Postgres
Our database uses Postgres Row-Level Security (RLS) policies so users can only read and write their own rows. Authorization is enforced at the database layer, not just in application code.
Minimal data collection by default
We only collect the data we need to render your map videos and operate your account. No selling of personal data, no hidden trackers in your renders, no surprise telemetry.
Infrastructure & operations
Hardened secret management
Server-only secrets (render API keys, Google API keys, database keys) live in encrypted environment variables. Public envs are explicitly prefixed with `NEXT_PUBLIC_` so it is impossible to accidentally leak a secret to the browser.
Server-side API proxying
Third-party APIs like Google Places are proxied through our backend so API keys never reach the browser. Clients call our endpoints; our server calls the upstream service.
SOC 2-compliant providers
Mappi runs on SOC 2-compliant infrastructure: Vercel for hosting and edge, Supabase for auth and database, and Stripe for payments. We inherit their controls, audits, and certifications.
Isolated render pipeline
Video renders run in a sandboxed, async pipeline behind authenticated APIs. Each render is identified by a server-issued ID, and outputs are scoped to the user who requested them.
Secure engineering practices
Strict TypeScript everywhere
The entire codebase is strictly typed. Whole classes of bugs — including the kind that lead to injection and auth bypass — are caught at compile time rather than in production.
PCI-compliant payments via Stripe
We never see or store your card details. All payment information is collected, tokenized, and processed by Stripe, which is PCI DSS Level 1 certified.
Continuous dependency updates
Dependencies are monitored and patched regularly. Critical security advisories trigger out-of-band updates so known CVEs do not linger in production.
Least-privilege access internally
Engineering access to production systems follows the principle of least privilege. Sensitive operations are gated, audited, and require authenticated access through SSO-protected tooling.
You own your content. We just help you ship it.
Mappi exists to help you create map videos. Your projects, places, routes, and renders belong to you, full stop. We do not sell your data, we do not train models on your private content, and we do not embed third-party trackers into your exported videos.
You can request account deletion at any time. When you delete your account, your projects and personal data are removed from our active systems on a defined schedule, and only minimal records required by law (for example, billing receipts) are retained.
Found a vulnerability? Tell us.
We treat security reports as a top priority. If you believe you have found a vulnerability in Mappi, please report it to us privately so we can fix it before it can be exploited.
Please do not publicly disclose the issue until we have had a chance to investigate and ship a fix.
Make beautiful map videos on a platform you can trust.
Get the same security posture top tech companies expect, packaged into a tool that anyone can pick up and use in minutes.
Start creating
map animations today
Bring your routes, places, and stories to life with frame-perfect map animations. No editing skills required.
Mappi helps you create stunning animated maps that is ideal Youtubers, journalists, and storytellers.
Stripe Climate member© 2025 Mappi. All rights reserved.