Mihro is designed to help residential complexes manage operations securely across residents, administrators, staff members, and platform-level users.

Security is especially important because Mihro may handle resident profiles, building and apartment information, package records, access-related logs, service requests, complaints, incidents, visitor passes, and shared-area camera access where enabled.

This page explains the security principles and safeguards used by Mihro.

Mihro is built as a multi-tenant platform.

Each residential complex or customer environment is separated from other complexes. Users should only access data that belongs to their own complex or to the organization they are authorized to manage.

Tenant isolation is enforced through backend access control, tenant-scoped database records, authenticated API requests, and role-based permissions.

Mihro uses role-based permissions to control what each user can see and do.

Common roles include:

- platform administrator; - complex administrator; - staff member; - resident; - household member.

Complex administrators can manage operational data for their own complex. Residents can access resident-facing features for their own apartment, household, requests, packages, notifications, and enabled modules. Staff members may only access work or tasks assigned to them.

Sensitive actions are checked by backend permissions and are not controlled only by the frontend interface.

Certain features may only be available to approved or verified residents.

Examples may include:

- gate access; - entrance or intercom access; - guest passes; - camera center; - facility reservations; - resident-only documents; - household member invitations.

Pending, rejected, inactive, or unverified users may have limited access based on complex settings.

Mihro uses authenticated sessions and protected API requests to control access.

Authentication may include access tokens, refresh/session handling, secure storage, and logout flows depending on whether the user is using the web app, PWA, or native mobile app.

Users are responsible for protecting their credentials and logging out on shared devices.

Sensitive operations are handled through backend APIs.

The frontend, PWA, or mobile app should not directly access database credentials, hardware integration secrets, gate webhooks, intercom credentials, camera stream credentials, or service role keys.

Examples of backend-controlled actions include:

- opening a gate; - opening an entrance or intercom; - creating or using a guest pass; - starting a camera viewing session; - submitting a report or complaint; - importing residents; - exporting reports; - changing resident approval status.

Mihro may record activity logs and audit events for accountability and security.

These may include:

- resident approvals; - service status changes; - package updates; - access-related events; - guest pass creation and usage; - camera access sessions; - import actions; - administrative changes; - login or session events where applicable.

Audit logs help administrators review important actions and support safer building operations.

Mihro may support modules such as gate access, entrance access, intercom access, visitor passes, and guest QR/PIN codes.

These features are controlled by complex administrators and backend permission checks.

Residents should only see and use access points that are enabled for them. Real hardware integrations may require additional configuration, compatible systems, and third-party provider access.

Mihro does not expose hardware secrets or integration credentials to residents.

If Camera Center is enabled, residents may view approved shared-area cameras according to complex rules and permissions.

Camera access should only be used for legitimate shared-area safety or operational purposes.

Mihro should not expose raw camera credentials, RTSP URLs, provider API keys, or private integration details to residents.

The complex administration is responsible for ensuring that camera placement, notices, access rules, and usage comply with applicable privacy and surveillance laws.

Visitor passes, QR codes, PINs, and temporary access links may be used only if enabled by the complex administration.

Guest passes may include expiration times, status checks, usage logs, revocation, and access limits.

Residents should share visitor passes only with intended guests and revoke passes when they are no longer needed.

Mihro uses encrypted transport in production environments to help protect data in transit between users, frontend applications, backend services, and infrastructure providers.

Customers should ensure that production environments use secure HTTPS connections.

Secrets such as database credentials, service role keys, access provider credentials, webhook URLs, and integration tokens must be stored only in secure backend environment variables or trusted secret management systems.

Secrets should not be committed to source control, exposed in frontend code, or shared with unauthorized users.

Mihro supports web, PWA, and native mobile usage.

Mobile and PWA sessions should use secure session handling, logout behavior, and protected API access.

Native mobile apps should store sensitive tokens using secure storage where available. Long-lived sensitive tokens should not be exposed unnecessarily to frontend JavaScript.

Customers and complex administrators should follow good operational security practices, including:

- using strong administrator passwords; - limiting administrator access to trusted staff; - approving residents carefully; - disabling inactive users; - reviewing access logs; - revoking unused visitor passes; - disabling modules that are not needed; - configuring camera and access permissions responsibly; - keeping contact and emergency information up to date.

Mihro may rely on trusted third-party service providers for hosting, database infrastructure, storage, email delivery, monitoring, and operational support.

Provider details may be shared with customers upon request where appropriate.

Security of third-party systems may affect availability and operation of Mihro.

If you believe you have discovered a security issue in Mihro, please contact us responsibly.

Please include:

- a clear description of the issue; - steps to reproduce; - affected URL, feature, or endpoint; - potential impact; - your contact information.

Do not access, modify, delete, or disclose data that does not belong to you.

Security contact:

[Security Contact Email]

Mihro is designed with security in mind, but no software system can be guaranteed to be completely secure.

Customers remain responsible for configuring the platform correctly, managing user access, protecting credentials, and complying with applicable legal and operational requirements.

Mihro may update this Security page from time to time.

When changes are made, the “Last updated” date will be revised.

For security questions, contact:

[Security Contact Email]