Security at Moral Fabric

We take the security of your organization's data seriously. Here's how we approach it.

Thin by Design

Our architecture is our strongest security feature.

Moral Fabric is intentionally thin. We don't store your organization's sensitive data. We connect and coordinate the tools you already use.

Your project data lives in Asana. Your files live in Google Workspace. Your conversations live in Slack. We link to that data and help you see the big picture, but we never copy or warehouse it.

This means Moral Fabric is a smaller target. We hold the structure of your organization — roles, teams, relationships — not the substance — documents, messages, credentials. If our systems were ever compromised, your sensitive operational data wouldn't be at risk, because it was never here.

What We Do Store

We believe in being honest about the minimal data we hold.

Account information

Name, email address, and profile photo.

Workspace structure

Team names, role titles, and who fills which role.

Integration tokens

Encrypted OAuth tokens that let us connect to your tools on your behalf.

360° feedback responses

Submitted through our platform, visible only to the intended recipient and people they choose to share with.

We do not store:

Passwords (we use OAuth and passkeys), payment information, or copies of your documents and messages.

How We Protect Your Data

Encryption

All data encrypted in transit (TLS/HTTPS) and at rest. Integration tokens encrypted before storage.

Workspace Isolation

Every database query is scoped to your workspace. One organization can never see another's data.

Authentication

Google OAuth and passkeys (WebAuthn). No passwords to leak or phish.

Security Headers

HSTS, content type protection, frame protection, and strict referrer policies on all responses.

Infrastructure

Hosted in Europe. Error monitoring via Sentry. Automated security scanning as part of our development process.

Minimal Surface Area

We link to your tools instead of duplicating data. Less data stored means less data at risk.

Responsible Disclosure

We welcome security researchers who help us keep Moral Fabric safe.

How to Report

Email security@moralfabric.org with a description of the issue, steps to reproduce, and any relevant screenshots or logs. We aim to acknowledge reports within 48 hours.

In Scope

  • app.moralfabric.org
  • api.moralfabric.org
  • moralfabric.org

Out of Scope

  • Social engineering or phishing
  • Denial of service attacks
  • Third-party services (Asana, Slack, etc.)
  • Automated scanning without coordination

Safe Harbor

We will not take legal action against researchers who act in good faith, report vulnerabilities responsibly, and do not access or modify other users' data. We consider security research conducted in line with this policy to be authorized.

Contact

For security concerns, reach us at security@moralfabric.org.