Security
How MRX protects your data
End-to-End Encryption
All evidence files and sensitive descriptions are encrypted client-side using AES-256-GCM before being transmitted to our servers. Encryption keys never leave your browser in plaintext. MRX operators cannot decrypt your files.
Key Management
Each organization has an ECDH keypair. The private key is wrapped using a Key Encryption Key (KEK) derived from your passkey's PRF extension output via HKDF-SHA256. A password-based backup wrapping is also available for recovery scenarios. At no point does MRX have access to your unwrapped private key.
Passkeys & WebAuthn
MRX uses WebAuthn passkeys for authentication, providing phishing-resistant, passwordless login. The PRF extension is used to derive cryptographic material directly from your authenticator, tying encryption key access to biometric verification.
Privacy-Preserving Matching
Customer identifiers (phone, email, name) are normalized and then HMAC-hashed with a server-side pepper before storage. Raw identifiers are never stored in the database. POS risk lookups return only risk scores and advisory messages — no personal information.
Tamper-Evident Audit
Every action on the platform is recorded in an append-only audit log. Each entry includes a chain hash (SHA-256 of the previous hash concatenated with the current entry), creating a tamper-evident chain. Database triggers prevent any modification or deletion of audit records.
Infrastructure
MRX runs on Cloudflare Workers for edge computing. Evidence files are stored in Cloudflare R2. The database is Postgres with encrypted connections. All traffic is HTTPS with HSTS. Rate limiting protects against abuse.