Security

Security in all forms is a cornerstone of the Mutual Friend platform. We recognize that our products manage sensitive financial data across theatrical productions. For investors, it holds deeply private financial information. For producers, it carries the weight of fiduciary, regulatory, and operational integrity required to manage capital without compromise.

This document describes the security safeguards Mutual Friend puts in place to protect you and your data. We adhere to industry-standard protocols, including the OWASP Top 10, and we are working towards SOC Type II compliance to ensure we meet rigorous security frameworks.

1. Data Security & Encryption

Encryption in Transit and At Rest

Data is encrypted both at rest and in-transit. We use bank-grade AES-256 encryption at rest to ensure that data stored in our systems remains secure and inaccessible to unauthorized parties. All communications between your browser and our servers take place over HTTPS using TLS, safeguarding your information from interception.

Mutual Friend will not share your data with third parties unless you have given explicit approval. For more information, see our Privacy Policy.

2. Infrastructure & Cloud Security

Mutual Friend products run on highly secured and industry-leading cloud infrastructure. Our cloud environment includes active monitoring, total system logging, and rigorous compliance controls.

Backups & Disaster Recovery

We perform regular, automated backups to ensure data is safely recoverable in the event of media failure or other catastrophic scenarios.

3. Access Control & Authentication

Multi-level Permissions

Access to sensitive operations within the Mutual Friend platform is heavily gated. Users must access Mutual Friend using their accounts via "magic-link" login passkeys or standard OAuth2 flows. This eliminates the risk of compromised passwords.

Data Isolation

To maintain absolute privacy across investments, Mutual Friend strictly isolates access so that investors only see their associated productions and documents. This isolation is enforced continuously at the database level, ensuring that it is physically impossible for an investor to extract data belonging to other investors or unauthorized productions.

4. Application Security

OWASP Top 10 Guidelines

Our engineering team focuses on privacy and security at every step in our development process. We base many application decisions directly on the OWASP Top 10 guidelines.

Monitoring and Incident Response

Mutual Friend actively monitors its environments for suspicious behavior. Every view and download of a document is explicitly logged within the platform securely. In the rare event of a security incident, Mutual Friend maintains comprehensive incident management procedures. We prioritize the containment and remediation according to severity, and ensure any impacted customers are supported and properly informed.

5. Security Culture

Administrative Access

Only a small, highly vetted subset of Mutual Friend employees have access to production environments. Access is governed by the principles of least-privilege and need-to-know to match access to responsibilities. All team members must use two-factor authentication for any product, administrative, or structural credentials.

For further questions about our security practices or to report a vulnerability, please reach out to:security@mutualfriend.nyc