Skip to main content
Munch.

Security

Last updated: March 2026

SOC 2 Auth

via Clerk

PCI Level 1

via Stripe

AES-256-GCM

encryption at rest

HSTS + TLS

enforced everywhere

Security is not an afterthought at Munch. Every layer of the product was designed with the assumption that threats exist. Below is a full overview of how we protect your account, your data, and your content.

Authentication and Access

  • No plaintext passwords. Munch never sees, stores, or transmits your password. Authentication is handled entirely by a dedicated, SOC 2-compliant identity provider. Your credentials never touch our servers.
  • OAuth and SSO. Sign in with Google or email. All OAuth flows follow industry-standard protocols with token-based session management.
  • Session management. Sessions are cryptographically signed and validated on every request. Tokens expire automatically and cannot be forged.
  • Admin access controls. Internal admin tools are restricted to explicitly authorized accounts. There is no public admin interface.

Data in Transit

  • TLS everywhere. All traffic between your browser and Munch is encrypted via HTTPS/TLS. There are no exceptions.
  • HTTP Strict Transport Security (HSTS). Browsers are instructed to enforce HTTPS-only connections for one year, including all subdomains. This prevents protocol downgrade attacks even before a request reaches our servers.
  • Security headers. Every response sets X-Frame-Options: DENY (blocks clickjacking), X-Content-Type-Options: nosniff (blocks MIME sniffing), strict Referrer-Policy, Permissions-Policy, and X-Permitted-Cross-Domain-Policies: none.
  • API communication. All server-to-server calls (AI processing, payment processing, database queries) occur over encrypted channels.
  • Webhook signing. Outbound webhooks support HMAC-SHA256 signatures so you can verify every payload originated from Munch.

Data at Rest

  • Encrypted database. Your content and account data are stored in a managed PostgreSQL database with encryption at rest enabled by default.
  • Secrets management. API keys, tokens, and integration credentials are encrypted using AES-256-GCM before storage. Encryption keys are stored separately from application data.
  • Row-level security. Database-level access policies ensure that even if an unauthorized client connects, no user data is exposed through the database API layer.

Payment Security

  • PCI-compliant payments. All payment processing is handled by Stripe, a PCI Level 1 certified provider. Munch never sees or stores your card number, CVV, or billing details.
  • Webhook verification. Incoming payment events are verified using cryptographic signatures to prevent spoofing or replay attacks.

Application Security

  • Input validation. All user inputs are validated and sanitized before processing to prevent injection attacks including SQL injection, XSS, and similar vectors.
  • Rate limiting and abuse prevention. API endpoints enforce per-IP and per-user usage limits. Enterprise daily caps and per-plan Munch pools prevent runaway usage.
  • No file uploads. Munch is URL-based. You never upload files to our servers, which eliminates an entire class of file-based attack vectors.
  • Dependency management. We regularly audit and update third-party dependencies to patch known vulnerabilities.

Infrastructure

  • Managed hosting. Munch runs on enterprise-grade, SOC 2-compliant infrastructure with automatic scaling, DDoS protection, and edge caching.
  • DNS security. Our domain is managed through a provider with built-in DDoS mitigation, bot management, and SSL termination.
  • Monitoring and alerting. Service health is monitored continuously with automated checks every minute across munch.video and all upstream dependencies (AI, payments, auth, email). Any degradation triggers immediate alerts to our engineering team.
  • Isolated environments. Production, development, and testing environments are fully separated. No test data touches production systems.

Your Content

  • Your content is yours. Generated content belongs to you. We do not use your inputs or outputs to train AI models.
  • No third-party data sharing. Your content is not sold, shared, or exposed to other users. AI processing calls do not retain your data beyond the request.
  • Deletion on request. Contact support and we will delete your account and all associated content permanently.

Team and Access Controls

  • Invite-only team access. Team members are added by email invitation only. Each invite uses a unique, cryptographically random token.
  • Scoped permissions. Team members share a Munch pool but cannot access billing, team management, or other members' individual settings.

Responsible Disclosure

If you discover a security vulnerability, please report it to security@munch.video. We take every report seriously and will respond promptly. We appreciate responsible disclosure and will credit researchers who help us improve.

← HomePrivacy PolicyTerms of ServiceSupport