Security and Trust

Built for speed, resilience and security from day one

One published map, hundreds of front doors
A published map at the centre is delivered from many surrounding edge locations to nearby visitors, retained on a device for Offline Mode, with security layers filtering traffic before it reaches the application. Published map Hundreds of edge locations Visitors Served nearby, not from one central server Layered protection Offline Mode Signal optional after first load
Static at the edgePublished maps load with no live database call
Offline after first loadMaps stay available on the device without signal
500+ TbpsDDoS mitigation capacity across the global network
On this page Infrastructure Static delivery Offline Mode Network protection Encryption Identity and access Data protection Operations Privacy and assurance

Infrastructure

Globally distributed edge infrastructure

Mapvera application logic runs across hundreds of global edge locations, close to the people using it. Requests can be routed, inspected and processed near their source rather than travelling to a single application server or data centre. This reduces latency for geographically distributed audiences and provides geographic redundancy without Mapvera maintaining individual servers in each region.

Application code executes inside isolated serverless environments that start rapidly and scale automatically. Sudden increases in visitors do not require Mapvera to provision another server, resize a machine or manually distribute traffic across additional instances.

Several visitors around a globe each connect to their nearest edge location instead of one central origin. Nearest edge location wins No trip to a single central server

Static delivery

Public maps are static by design

Published Mapvera maps are delivered as static HTML, JavaScript, styles, images and map data, with content cached and served from nearby edge locations. Visitors can load your published maps without waiting for a distant application server to query a live database and generate the page for every visit.

Once published, the content required to load and display the map is independent of Mapvera's primary database. The database continues to support the management platform and features that require live application services, but it is not required simply to retrieve and display the published map.

This separation improves speed and resilience, reduces database demand and limits the public attack surface compared with a conventionally generated dynamic application.

A visitor receives a published map straight from an edge cache. The management database sits apart, marked as not required for public map loads. Visitor any device Edge cache HTML, scripts, styles, map data Database management only, not in this path No live database in the load path
Your published map does not need a live database connection simply to load.

No single public server or database dependency

Mapvera does not depend on one public web server, one virtual machine or one live database to deliver published maps. Requests are distributed across the global edge network, while static map content can be served from cache close to each visitor.

There is no traditional origin web server exposed to the internet, no public administrative server and no inbound database port required for public map delivery. Application services communicate with managed storage through controlled internal bindings rather than publicly reachable database connections.

This architecture provides automatic scaling, geographic distribution, fault tolerance, reduced dependence on individual machines and fewer traditional operating system services to expose, configure or maintain.

Isolated serverless execution

Mapvera application code runs within isolated execution environments with separated memory. Unlike a conventional server, Mapvera does not maintain a long-running public operating system containing a web server, package manager, remote access service and database client.

Removing those traditional layers reduces the number of components that can be misconfigured, exposed or left unpatched. The underlying runtime and physical infrastructure are maintained by the infrastructure provider, while Mapvera remains responsible for application code, access controls, configuration and data handling.

Offline Mode

Offline resilience after first load

Once a visitor has loaded a published map, Mapvera's Offline Mode securely retains the map and its published content on that device. The visitor can close the browser, return later and continue viewing the map when the internet connection is unavailable or unreliable.

This is particularly valuable in conference centres, stadiums, campuses, festivals and other large venues where mobile reception may be weak and shared Wi-Fi can become congested during peak periods. Following the initial load, the map is no longer dependent on a continuous network connection simply to remain available on that device.

Offline Mode complements static delivery and edge caching by adding another layer of resilience between the visitor and the network. Features requiring live platform services may still require connectivity, but the retained published map remains accessible from the locally stored version.

Load, retain, return offline
Three stages: the map loads from a nearby edge location, is retained on the device, then remains visible while the network connection fades. Edge Load Retain stored on the device connection fades Return offline map still available

Network protection

Layered network and application protection

Every request passes through several layers of protection before it can reach Mapvera application logic. These include automatic network protection, distributed denial-of-service mitigation, automated bot controls, a Web Application Firewall, rate and abuse controls, server-side authentication, authorisation and application validation.

The Web Application Firewall applies managed protections together with Mapvera-specific rules to identify and block malicious requests, common web exploitation techniques, suspicious request patterns, injection attempts, unexpected methods and abusive traffic.

Security rules can be adjusted centrally without requiring published maps to be republished.

How a request reaches Mapvera
A request travels from the visitor through network protection, DDoS mitigation, bot controls, the Web Application Firewall and authentication before reaching Mapvera. Each layer activates in turn. Visitorrequest Networkprotection DDoSmitigation Botcontrols FirewallWAF rules Auth+ validation Mapvera

A request only reaches Mapvera application logic after every layer has let it through. Hostile traffic is dropped early, close to its source.

More than 500 Tbps of DDoS mitigation capacity

Mapvera benefits from automatic distributed denial-of-service protection across both network and application layers. Hostile traffic is distributed and mitigated across the global edge network rather than being concentrated against one Mapvera server.

The underlying network provides more than 500 Tbps of DDoS mitigation capacity, helping identify and absorb large attacks near their source before they can overwhelm the application.

Because Mapvera runs directly within the serverless edge environment, there is no separate origin web server behind the protection layer whose processor, bandwidth or connection limits can be directly exhausted by an attacker reaching around the network controls.

Encryption

Modern encryption

Mapvera requires HTTPS and uses modern TLS protocols with a restricted set of strong cryptographic cipher suites. Obsolete protocol versions and weaker legacy encryption options are excluded, reducing exposure to insecure negotiation, downgrade attacks and deprecated cryptographic algorithms.

Data is protected in transit and encrypted at rest within the managed storage environment. Secrets, service credentials and environment configuration are stored separately from public map content and application source code.

Strict browser security controls

Mapvera applies strict browser security headers throughout the platform. Content Security Policy controls which scripts, styles, frames and other resources may load, while HTTP Strict Transport Security requires supported browsers to use secure HTTPS connections.

Additional controls restrict unauthorised framing, embedded objects, unnecessary browser capabilities, unsafe cross-origin access, information leakage and unapproved form destinations. Together, these controls reduce exposure to cross-site scripting, clickjacking, mixed content, content injection and related browser-based attacks.

Identity and access

Secure identity and team access

Each Mapvera team has clearly separated administrator and member roles. Members receive access to the functions required for their role, while administrators manage team membership, access requirements and security settings.

Access decisions are enforced on the server. The browser interface may hide unavailable actions for clarity, but permission checks do not depend on browser-side controls.

Administrators

Manage members, team settings, access policies and security requirements.

Members

Access approved team functions without receiving team-level administrative control.

People sign in through Microsoft or Google single sign-on, pass an approved-provider check and an optional extra verification step, then reach their team with either an administrator or member role. Microsoft SSO Google SSO Approved providers team restriction applies Extra verification passkey or authenticator Your team admin + member roles Email sign-in can be blocked per team

Single sign-on and provider restrictions

Teams can use Microsoft or Google single sign-on and can restrict access to approved sign-in providers. An organisation may, for example, require every administrator and member to use Microsoft, preventing accounts created through Google or email and password from accessing that team.

The restriction applies at team level, allowing each organisation to enforce its own identity requirements without affecting unrelated Mapvera teams.

Where an organisation restricts access to third-party applications, Mapvera can be approved through its existing identity administration process.

Passkeys and enforced two-factor authentication

Team administrators can require every administrator and member to configure a passkey or authenticator application before accessing the team.

This requirement can be enforced even after a person has authenticated through Microsoft or Google single sign-on. Organisations can therefore use their existing identity provider while requiring a separate Mapvera-controlled verification step where additional protection is appropriate.

Passkeys provide a phishing-resistant option based on public-key cryptography, while authenticator applications provide time-based verification codes. The requirement applies to administrators as well as members, ensuring privileged users are not exempt from the team's security policy.

Protection against administrative lockout

Mapvera warns administrators when a change to approved sign-in methods or two-factor requirements could immediately remove their own access. The policy may still be applied intentionally, but the warning helps prevent accidental lockout while preserving the organisation's ability to enforce its chosen security standard.

Data protection

Durable object storage

Published map files, uploaded assets and backup material are held in managed object storage designed for very high durability. Stored objects are encrypted, strongly consistent and protected through distributed storage, replication and redundancy.

Mapvera accesses storage through internal application bindings. The storage environment does not need to be exposed as a public administrative service for the application to retrieve or manage its files.

Managed serverless database

Structured platform data is held in a managed serverless SQL database rather than on a database server maintained directly by Mapvera. The database is accessed through authenticated internal application bindings and is not exposed to public visitors through an inbound database port.

Public users cannot connect directly to the database. Database operations must pass through Mapvera's server-side authentication, authorisation and application validation.

Point-in-time recovery and versioned backups

The managed database supports point-in-time recovery, allowing data to be restored to a specific point within the available recovery period. This helps protect against accidental deletion, incorrect changes, faulty deployments, application defects and administrative mistakes.

Mapvera supplements native recovery with automated versioned backups of database and object-storage content. Backup copies follow defined retention schedules and are separated from active production data. Recovery procedures are tested so backup assurance is based on successful restoration rather than simply the existence of backup files.

A timeline of saved versions with an arrow restoring the live map to an earlier point, alongside stacked versioned backup copies kept separately. v1 v2 v3 v4 now Restore to a point in time Backups versioned copies Kept separate from production data, restores are tested

Operations

Controlled production access

Production access is limited to authorised personnel with a legitimate operational requirement. Access follows least-privilege principles, uses individually attributable accounts and requires strong authentication.

Administrative permissions are reviewed and removed when no longer required. Sensitive configuration and service credentials are kept outside public map files and separate from application source delivered to browsers.

Secure development and deployment

Mapvera follows controlled development and deployment practices. Application code is maintained in version control, changes are reviewed before release and deployments use authenticated automated workflows rather than direct manual editing of production systems.

Releases can be traced to their source revision, dependencies and configuration changes are assessed, and security updates are prioritised according to risk.

The serverless architecture further reduces operational exposure because Mapvera does not maintain public remote-access services, conventional web-server packages or customer-facing database servers.

Monitoring and security visibility

Mapvera monitors application health, error rates, authentication activity, infrastructure behaviour and security events. Alerts help identify abnormal conditions, suspicious access patterns, elevated failure rates and availability issues.

Relevant administrative and security actions are recorded to support accountability, investigation and incident response. Operational logs are restricted from ordinary team members and retained according to security, troubleshooting and legal requirements.

Vulnerability management

Mapvera maintains processes for identifying, assessing and addressing application vulnerabilities, dependency risks and configuration weaknesses. Managed firewall protections provide an additional layer against known and emerging attack techniques while application updates are assessed and deployed.

Security findings are prioritised according to their likely impact and exploitability, and suspected vulnerabilities can be reported through a responsible disclosure process.

Incident response and recovery

Mapvera maintains incident response and recovery processes covering detection, assessment, containment, investigation, remediation, restoration, communication and post-incident review.

Security events are assessed according to their potential effect on confidentiality, integrity and availability. Where an incident affects customer information, notification obligations are evaluated under applicable contractual, privacy and regulatory requirements.

Distributed edge delivery, static public maps, point-in-time database recovery, durable object storage and versioned backups support operational recovery and business continuity.

Privacy and assurance

Privacy and data protection

Mapvera is designed to collect and retain only the information reasonably required to provide, manage and secure the service. Access to personal information is restricted, retention periods are controlled and information can be corrected, exported or deleted in accordance with applicable requirements and contractual obligations.

Our privacy practices are informed by:

  • The Australian Privacy Principles
  • The European Union General Data Protection Regulation
  • The California Consumer Privacy Act
  • The California Privacy Rights Act

Privacy documentation, data-processing terms and relevant subprocessor information can be provided to organisations completing legal, security or procurement reviews.

Security standards and assurance

Mapvera's security practices are aligned with the principles of ISO/IEC 27001, the international framework for managing information-security risk, and ISO/IEC 27002, its supporting collection of practical security controls.

The underlying serverless infrastructure maintains independent security certifications and assurance reports, including SOC 2 Type II and ISO/IEC 27001.

SOC 2 Type II means the assessed controls were reviewed for their design and tested to determine whether they operated effectively over a defined period. Mapvera does not represent itself as independently SOC 2 audited or ISO certified unless expressly stated.

A shared and layered security model

Secure infrastructure provides the foundation, but infrastructure certification alone does not secure an application. Mapvera combines inherited network, runtime and storage protections with application-level identity enforcement, team roles, server-side authorisation, secure development, controlled deployment, monitoring, backup, recovery, vulnerability management, incident response and privacy practices.

The result is a layered security model covering the global network, serverless runtime, application, organisational access and stored data, while allowing published maps to load quickly from static edge content and remain available through Offline Mode after their initial load.

Need more security information?

Security, privacy and procurement documentation can be provided to organisations completing a formal review of Mapvera.