Cybersecurity Policy

1. Purpose and Scope

This Cybersecurity Policy establishes the standards, controls, and procedures that Slopshop Inc. (d/b/a "Mithril") implements to protect the confidentiality, integrity, and availability of platform infrastructure, user data, and digital assets. This policy applies to all systems, networks, applications, and personnel involved in the operation of the Mithril platform.

2. Authentication and Access Control

Mithril uses Clerk as its authentication provider for all user-facing identity and session management. The following controls are enforced:

• Multi-Factor Authentication (MFA) — MFA is available for all user accounts and required for administrative accounts. Supported methods include TOTP authenticator apps and WebAuthn/passkey hardware tokens.
• Session Management — User sessions are managed by Clerk with configurable expiration policies. Sessions are bound to device fingerprints and automatically invalidated on password change or suspicious activity detection.
• Role-Based Access Control (RBAC) — Administrative endpoints and internal tools are protected by role-based permissions. The platform enforces a least-privilege model: users are granted only the minimum permissions required for their role (user, admin).
• API Key Management — Programmatic access is governed by API keys with scoped permissions, rate limits, and automatic rotation capabilities. API keys are stored as salted hashes and never logged in plaintext.

3. Data Protection and Encryption

All data handled by the Mithril platform is classified and protected according to its sensitivity:

• Encryption in Transit — All network communications use TLS 1.3. HTTP Strict Transport Security (HSTS) headers are enforced. API endpoints reject non-TLS connections.
• Encryption at Rest — All data stored in Supabase (PostgreSQL) is encrypted at rest using AES-256-GCM. Database backups are encrypted with separate key material managed by Supabase's infrastructure.
• Row-Level Security (RLS) — Supabase RLS policies are enforced on all tables containing user-specific data. Each query is scoped to the authenticated user's ID, preventing cross-account data access at the database level. RLS policies are defined in schema.sql and version-controlled.
• Secret Management — All secrets (API keys, database credentials, third-party tokens) are stored as environment variables in Vercel's encrypted secret store and never committed to source control.

4. Rate Limiting and Abuse Prevention

The platform employs multi-layered rate limiting to prevent abuse, denial-of-service attacks, and automated exploitation:

• API Rate Limits — All API endpoints enforce per-user and per-IP rate limits. Default limits are 100 requests per minute for authenticated users and 20 requests per minute for unauthenticated requests. Trade-related endpoints have stricter limits (30 requests per minute).
• DDoS Mitigation — Vercel's edge network provides automatic DDoS protection, including geographic distribution, connection limiting, and challenge pages for suspicious traffic patterns.
• Bot Detection — Automated traffic is identified and throttled using behavioral analysis. Legitimate API consumers must authenticate with API keys.

5. Smart Contract Security

Mithril deploys smart contracts on the Base blockchain (Ethereum L2). The following security measures are applied to all deployed contracts:

• Audit Readiness — All contracts (PredictionMarket, PredictionFactory, WrappedEquity, EquityFactory, OTCEscrow) are developed following Solidity best practices including checks-effects-interactions, reentrancy guards, and explicit visibility modifiers.
• Testing — Smart contracts are tested using Hardhat with comprehensive unit and integration test suites covering edge cases, overflow scenarios, and access control validation.
• Upgrade Pattern — Contracts are designed with minimal upgradeability. Where upgrades are necessary, time-locked proxy patterns with multi-sig governance are used.
• Non-Custodial Architecture — The platform never holds or controls user funds. All trades settle atomically on-chain through user wallets, eliminating custodial risk.

6. Infrastructure Security

• Hosting — The platform is hosted on Vercel's global edge network with automatic SSL, geographic redundancy, and isolated serverless function execution.
• Database — Supabase provides managed PostgreSQL with automated backups, point-in-time recovery, and network isolation. Database connections use connection pooling with PgBouncer.
• Dependency Management — Third-party dependencies are regularly audited using npm audit. Known vulnerable packages are patched or replaced within 48 hours of disclosure.
• Logging and Monitoring — All API requests, authentication events, and administrative actions are logged in the audit_log table. Anomalous patterns trigger alerts for manual review.

7. Incident Response

Mithril maintains an incident response plan with the following phases:

• Detection — Automated monitoring and alerting for anomalous activity, unauthorized access attempts, and system integrity violations.
• Containment — Immediate isolation of affected systems. API keys and sessions can be globally revoked within minutes.
• Eradication — Root cause analysis and remediation of the vulnerability or attack vector.
• Recovery — Restoration of services from verified backups with integrity validation.
• Notification — Affected users are notified within 72 hours of confirmed data breaches, in compliance with applicable data breach notification laws.

8. Responsible Disclosure

Mithril welcomes responsible security research. If you discover a vulnerability, please report it to security@mithril.pro. We commit to acknowledging reports within 48 hours, providing an initial assessment within 5 business days, and not pursuing legal action against good-faith researchers who follow responsible disclosure practices.

9. Contact

For questions about this policy, contact security@mithril.pro.