Security & Trust

Security at Manthan

Anonymous retrospectives are a sensitive category. Here's how we keep your team's data safe.

Anonymity architecture

Feedback in Manthan is always tagged with a device fingerprint (via FingerprintJS), never with a user ID. Even an administrator of a board cannot trace a submission back to a person. This is enforced at the schema level — feedback rows have no user_id column. It is an architectural guarantee, not a configurable setting.

Encryption

All traffic to Manthan flows over TLS 1.2 or higher. Data at rest is encrypted by Supabase using AES-256. Integration tokens (Jira and Azure DevOps OAuth credentials) are encrypted at rest before being written to our database, scoped to a single workspace, and rotated automatically when the upstream provider requires it.

Authentication

Manthan uses magic-link sign-in only. No passwords are ever stored, anywhere — not in our database, not in logs, not in transit. Sessions are managed by Supabase Auth with rotating refresh tokens. Soft-deleted accounts are blocked from re-authenticating at the auth layer.

Access control

Workspaces are isolated via Postgres Row-Level Security. A user in one workspace cannot read or write any data belonging to another. Within a workspace, members have either admin or member roles. Our own internal operations console is gated by a single-use passkey, enforces a 2-minute idle timeout, and writes an audit log entry for every mutating action.

Data retention

Active workspace data is retained for the lifetime of the subscription. When a workspace is deleted, it is hard-deleted immediately and cascades through all boards, feedback, votes, action items, and integrations. Soft-deleted user accounts are purged on a scheduled basis.

Incident response

If we detect a breach affecting your data, we will notify affected workspace administrators by email within 72 hours — the GDPR Article 33 timeline. Customers who suspect a security issue should report it to support@craskey.com.

Subprocessors

The third-party services Manthan relies on to deliver the product. Each handles a narrow, named role.

Supabase
Database, authentication, real-time updates
Vercel
Application hosting and edge delivery
Groq
AI moderation inference for submitted feedback
Resend
Transactional email (magic links, invites, billing)
Razorpay
Payment processing for plan subscriptions (INR)
FingerprintJS
Device fingerprinting for anonymous voting and submission

What you can do

Admin controls available to every workspace owner.

  • Workspace member roles (admin / member)
  • Board visibility: public link, workspace-only, or passcode-protected
  • Export all workspace data as JSON from Settings → Data
  • Delete your workspace from Settings → Data (cascades all children)
  • Revoke any integration token (Jira, Azure DevOps) from Settings → Integrations

Responsible disclosure

Found a vulnerability? Email support@craskey.com with the details and a reproduction. We respond within 48 hours and will keep you informed through resolution.