Security

How MASK protects your account, data, and infrastructure.

Two-factor authentication

Enable 2FA from Settings → Security. MASK supports time-based one-time passwords (TOTP) via authenticator apps like Google Authenticator, Authy, or 1Password.

When you enable 2FA, you'll receive a set of one-time recovery codes. Store these in a safe place. Each recovery code can only be used once.

Passkeys

Passkeys provide phishing-resistant authentication using biometrics or hardware security keys. You can register multiple passkeys from Settings → Security → Passkeys.

Passkeys work with Face ID, Touch ID, Windows Hello, and FIDO2-compatible hardware keys. Once a passkey is registered, you can use it as your primary sign-in method.

Session management

Sessions are managed via secure, HTTP-only cookies. You can view all active sessions in Settings → Security → Sessions and revoke any session individually.

Sessions expire after 30 days of inactivity. Enterprise workspaces can configure custom session timeouts.

API key security

API keys are prefixed with mk_live_ (production) or mk_test_ (test). Keys are shown only once at creation time and stored as irreversible hashes.

Each key can be scoped to specific permissions (read-only, write, admin) and restricted to specific IP addresses. Rotate keys regularly and revoke any that may have been compromised.

Data encryption

All data is encrypted in transit using TLS 1.3. Data at rest is encrypted using AES-256. Database backups are encrypted and stored in geographically redundant locations.

Sensitive fields such as API key hashes and authentication tokens receive additional application-level encryption.

Compliance

MASK is SOC 2 Type II compliant. We undergo annual third-party audits covering security, availability, and confidentiality. Audit reports are available to Enterprise customers upon request.

MASK is also GDPR-compliant. You can request data export or deletion from Settings → Privacy. A Data Processing Agreement (DPA) is available for Enterprise plans.