Skip to content
Miru 3.0 is here — expenses, CLI, dark mode, and 6 report types. Read the announcement →
Security

Security at
Miru.

Your billing data is sensitive. We treat it that way. Here's exactly how.

Infrastructure

🔒

Encrypted everywhere

Data encrypted at rest and in transit. TLS 1.3 for every connection. AES-256 for stored data. No exceptions, no opt-outs.

🗃

PostgreSQL with daily backups

Your data lives in PostgreSQL with automated daily backups, point-in-time recovery, and geo-redundant storage. We can restore to any point in the last 30 days.

Enterprise-grade hosting

Hosted on enterprise-grade infrastructure with automated failover, DDoS protection, and 99.9% uptime SLA. We monitor everything, 24/7.

Authentication

Session-based authentication with secure token rotation. OAuth via Google for teams that use it. The CLI uses dedicated bearer tokens scoped to your account, revocable anytime from the web UI. No shared secrets. No API keys floating around in Slack channels.

Access control

Five roles with least-privilege access. Employees can't see client rates. Book keepers can't modify team settings. Clients see only their own invoices. Every permission boundary exists because we asked: "Does this person actually need to see this?" If the answer was no, they can't.

Open source advantage

Every line of Miru's code is auditable on GitHub. No security through obscurity. No hidden data collection. No mystery endpoints. If you want to know exactly what Miru does with your data, read the code. It's right there.

Self-hosted option

For maximum control, self-host Miru on your own infrastructure. Your servers, your database, your network. Nothing leaves your environment. Deploy with Docker in minutes. Full setup guides for macOS, Ubuntu, and Windows in the docs.

Responsible disclosure

Found a vulnerability? Email security@saeloun.com. We respond within 24 hours. We take every report seriously, investigate immediately, and credit researchers in our security advisories. Don't post it on Twitter. Email us first.

Compliance

SOC 2 Type II in progress. GDPR compliant -- we process data lawfully, minimize collection, and honor deletion requests. Data processing addendum available on request for enterprise customers. If your compliance team needs something specific, reach out. We'll work with you.

Questions about security?

We'll answer anything. No NDAs required to ask.

Email Security Team Review the Code
Start Tracking Free