MBC Virtual Office
DRAFT: for legal review. This document is a placeholder. It has not been reviewed by counsel and must not be relied upon for any compliance or contractual purpose. Final wording will replace this notice on go-live.

Legal

Security

Effective 2026-05-01

We treat workspace data as confidential and design defences in depth. The honest summary as of the effective date below:

Authentication

  • Google OAuth via NextAuth. Microsoft / Azure AD is on the roadmap.
  • SAML SSO is planned for the Business plan.
  • Session JWTs are HTTP-only cookies; rotated on sensitive events.

Tenant isolation

  • Per-workspace row-level security on every Postgres table.
  • API guards (`requireSession`, `requireAdmin`) re-validate membership on every request. RLS is the secondary line of defence.
  • Workspace IDs are immutable at the database trigger level so a buggy admin path cannot move data across tenants.

Audit log

Every privileged action (member changes, branding edits, billing events, recordings, guest links) writes an immutable row to the audit log. An admin-facing viewer is on the roadmap.

Compliance

  • SOC 2 Type II: in progress (no audit completed yet).
  • GDPR: subject-rights flows pending self-serve UI.
  • Data residency: US default. EU residency on the roadmap.

We don't claim certifications we don't hold. If you need a formal report or DPA, email security@mbccanadainc.com and we'll share the latest evidence pack.

Reporting a vulnerability

Email security@mbccanadainc.com with details. We'll acknowledge within two business days. Please don't publicly disclose until we've had time to respond.