Security & Access Policy

This document describes the security measures Muxbe has in place to protect your data, how access controls work, and what you can realistically expect from us. We believe trust comes from honesty, so this page tells you what we actually do — not what sounds impressive on a slide deck.

Muxbe is operated by Giorgi Kurtsikidze, Individual Entrepreneur (მცირე მეწარმე), registered in Georgia, under the trade name Muxbe. We are a B2B SaaS platform for iGaming affiliate management.

1. Infrastructure

Muxbe runs on established, enterprise-grade cloud infrastructure provided by a small number of carefully selected third-party providers:

We rely on our cloud infrastructure providers' physical security, network security, and infrastructure hardening. We do not operate our own data centers or servers. The current named list of our infrastructure providers is included in the Sub-processor list delivered to Customers under contract.

2. Authentication

All user authentication is handled through the platform's authentication system:

3. Authorization & Access Control

Muxbe enforces role-based access control (RBAC) with a deny-by-default permission model. If a permission is not explicitly granted, it is denied.

3.1 Roles

The platform supports the following roles: superadmin, admin, ceo, project_manager, manager, retention, viewer, and custom role templates that can be configured per tenant.

3.2 Granular Permissions

Each role is assigned a specific set of permissions that control what the user can see and do:

Permissions are enforced both in the browser (UI elements are hidden or disabled) and on the server (Cloud Functions reject unauthorized requests). The server-side check is the authoritative one — client-side checks exist for user experience, not security.

4. Tenant Isolation

Muxbe is a multi-tenant platform. Each customer's data is isolated under a dedicated path: tenants/{tenantId}/.

We want to be straightforward: this isolation works and is enforced at the database rules level, but it has not been independently audited by a third party. We test it, we enforce it in code and rules, and we believe it is sound — but we are not going to call it "enterprise-grade certified isolation" because that would require a formal audit we have not completed.

5. PII Protection

Muxbe handles two categories of personally identifiable information, and both receive additional protection beyond standard access controls:

5.1 Player PII

Player personal data — including email, name, nickname, and IP address — is stored in a separate playersPII collection. Access requires the explicit viewPlayerPII permission. Users without this permission cannot see player personal details, even if they can see aggregated player statistics.

5.2 Partner Contacts

Partner contact information — including email, phone, Telegram, and Skype — is stored in a separate partnerContacts collection. Access requires the explicit viewPartnerContacts permission.

5.3 AI Assistant & PII

The AI assistant is permission-aware. When a user queries the assistant, PII and financial fields are stripped from AI tool results if the user lacks the appropriate permission. A user without viewPlayerPII cannot extract player personal data through the AI assistant.

6. Secret Management

7. Background Worker Security

Muxbe uses a managed task queue for scheduled background processing (e.g., daily statistics collection). These workers are protected by multiple authentication layers:

This multi-layer approach means that even if one verification step were bypassed, the others would still block unauthorized execution.

8. Audit Logging

9. Data Retention & Deletion

We retain data for as long as needed to provide the service, and we have automated cleanup for certain data types:

9.1 Deletion Capabilities

10. Platform Operator Access

10.1 When Operator Access Is Used

Superadmin access is used only for legitimate platform operations:

10.2 What Operator Access Is NOT Used For

The platform operator does not access customer data for:

10.3 Safeguards

10.4 The Honest Reality

In large companies, operator access is governed by formal internal policies, access review boards, and separation-of-duties controls. Muxbe is a solo-operated platform, so we cannot offer that same organizational structure. What we can offer is:

11. What We Do NOT Claim

We think it is just as important to tell you what we have not done as what we have:

We are continuously improving our security posture. If certifications or audits become relevant to our customers, we will pursue them and update this page accordingly.

12. Incident Response

If we become aware of a security breach that affects your data, we will:

  1. Notify you within 72 hours where feasible, as required by GDPR Article 33;
  2. Describe the nature of the breach and the categories of data affected;
  3. Explain the measures we have taken or plan to take to address the breach and mitigate its effects;
  4. Provide a point of contact for follow-up questions.

We will keep you updated as we learn more. We will not wait until we have all the answers to begin communicating — timely, honest updates matter more than a polished post-mortem.

13. Responsible Disclosure

If you discover a security vulnerability in Muxbe, we ask that you report it responsibly:

We appreciate security researchers who help us improve. We will acknowledge your report and work to resolve confirmed vulnerabilities promptly.

14. Your Responsibilities

Security is a shared responsibility. As a Muxbe customer, you play an important role:

15. Changes to This Policy

We may update this Security & Access Policy from time to time as we improve our security practices or as our infrastructure evolves. Material changes will be communicated via email to account holders. The effective date at the top of this page reflects the latest revision.

16. Contact

For security concerns, vulnerability reports, or questions about this policy: