Built for speed, resilience and security from day one
Mapvera was designed from the beginning so performance, availability and security reinforce one another. The platform runs entirely on SOC 2 Type II assessed serverless infrastructure, using globally distributed edge computing, durable object storage and a managed serverless database. This removes the conventional model of a publicly exposed application server connected to a publicly reachable database, reduces infrastructure exposure and allows Mapvera to scale automatically as demand changes.
Infrastructure
Globally distributed edge infrastructure
Mapvera application logic runs across hundreds of global edge locations, close to the people using it. Requests can be routed, inspected and processed near their source rather than travelling to a single application server or data centre. This reduces latency for geographically distributed audiences and provides geographic redundancy without Mapvera maintaining individual servers in each region.
Application code executes inside isolated serverless environments that start rapidly and scale automatically. Sudden increases in visitors do not require Mapvera to provision another server, resize a machine or manually distribute traffic across additional instances.
Static delivery
Public maps are static by design
Published Mapvera maps are delivered as static HTML, JavaScript, styles, images and map data, with content cached and served from nearby edge locations. Visitors can load your published maps without waiting for a distant application server to query a live database and generate the page for every visit.
Once published, the content required to load and display the map is independent of Mapvera's primary database. The database continues to support the management platform and features that require live application services, but it is not required simply to retrieve and display the published map.
This separation improves speed and resilience, reduces database demand and limits the public attack surface compared with a conventionally generated dynamic application.
No single public server or database dependency
Mapvera does not depend on one public web server, one virtual machine or one live database to deliver published maps. Requests are distributed across the global edge network, while static map content can be served from cache close to each visitor.
There is no traditional origin web server exposed to the internet, no public administrative server and no inbound database port required for public map delivery. Application services communicate with managed storage through controlled internal bindings rather than publicly reachable database connections.
This architecture provides automatic scaling, geographic distribution, fault tolerance, reduced dependence on individual machines and fewer traditional operating system services to expose, configure or maintain.
Isolated serverless execution
Mapvera application code runs within isolated execution environments with separated memory. Unlike a conventional server, Mapvera does not maintain a long-running public operating system containing a web server, package manager, remote access service and database client.
Removing those traditional layers reduces the number of components that can be misconfigured, exposed or left unpatched. The underlying runtime and physical infrastructure are maintained by the infrastructure provider, while Mapvera remains responsible for application code, access controls, configuration and data handling.
Offline Mode
Offline resilience after first load
Once a visitor has loaded a published map, Mapvera's Offline Mode securely retains the map and its published content on that device. The visitor can close the browser, return later and continue viewing the map when the internet connection is unavailable or unreliable.
This is particularly valuable in conference centres, stadiums, campuses, festivals and other large venues where mobile reception may be weak and shared Wi-Fi can become congested during peak periods. Following the initial load, the map is no longer dependent on a continuous network connection simply to remain available on that device.
Offline Mode complements static delivery and edge caching by adding another layer of resilience between the visitor and the network. Features requiring live platform services may still require connectivity, but the retained published map remains accessible from the locally stored version.
Network protection
Layered network and application protection
Every request passes through several layers of protection before it can reach Mapvera application logic. These include automatic network protection, distributed denial-of-service mitigation, automated bot controls, a Web Application Firewall, rate and abuse controls, server-side authentication, authorisation and application validation.
The Web Application Firewall applies managed protections together with Mapvera-specific rules to identify and block malicious requests, common web exploitation techniques, suspicious request patterns, injection attempts, unexpected methods and abusive traffic.
Security rules can be adjusted centrally without requiring published maps to be republished.
A request only reaches Mapvera application logic after every layer has let it through. Hostile traffic is dropped early, close to its source.
More than 500 Tbps of DDoS mitigation capacity
Mapvera benefits from automatic distributed denial-of-service protection across both network and application layers. Hostile traffic is distributed and mitigated across the global edge network rather than being concentrated against one Mapvera server.
The underlying network provides more than 500 Tbps of DDoS mitigation capacity, helping identify and absorb large attacks near their source before they can overwhelm the application.
Because Mapvera runs directly within the serverless edge environment, there is no separate origin web server behind the protection layer whose processor, bandwidth or connection limits can be directly exhausted by an attacker reaching around the network controls.
Encryption
Modern encryption
Mapvera requires HTTPS and uses modern TLS protocols with a restricted set of strong cryptographic cipher suites. Obsolete protocol versions and weaker legacy encryption options are excluded, reducing exposure to insecure negotiation, downgrade attacks and deprecated cryptographic algorithms.
Data is protected in transit and encrypted at rest within the managed storage environment. Secrets, service credentials and environment configuration are stored separately from public map content and application source code.
Strict browser security controls
Mapvera applies strict browser security headers throughout the platform. Content Security Policy controls which scripts, styles, frames and other resources may load, while HTTP Strict Transport Security requires supported browsers to use secure HTTPS connections.
Additional controls restrict unauthorised framing, embedded objects, unnecessary browser capabilities, unsafe cross-origin access, information leakage and unapproved form destinations. Together, these controls reduce exposure to cross-site scripting, clickjacking, mixed content, content injection and related browser-based attacks.
Identity and access
Secure identity and team access
Each Mapvera team has clearly separated administrator and member roles. Members receive access to the functions required for their role, while administrators manage team membership, access requirements and security settings.
Access decisions are enforced on the server. The browser interface may hide unavailable actions for clarity, but permission checks do not depend on browser-side controls.
Administrators
Manage members, team settings, access policies and security requirements.
Members
Access approved team functions without receiving team-level administrative control.
Single sign-on and provider restrictions
Teams can use Microsoft or Google single sign-on and can restrict access to approved sign-in providers. An organisation may, for example, require every administrator and member to use Microsoft, preventing accounts created through Google or email and password from accessing that team.
The restriction applies at team level, allowing each organisation to enforce its own identity requirements without affecting unrelated Mapvera teams.
Where an organisation restricts access to third-party applications, Mapvera can be approved through its existing identity administration process.
Passkeys and enforced two-factor authentication
Team administrators can require every administrator and member to configure a passkey or authenticator application before accessing the team.
This requirement can be enforced even after a person has authenticated through Microsoft or Google single sign-on. Organisations can therefore use their existing identity provider while requiring a separate Mapvera-controlled verification step where additional protection is appropriate.
Passkeys provide a phishing-resistant option based on public-key cryptography, while authenticator applications provide time-based verification codes. The requirement applies to administrators as well as members, ensuring privileged users are not exempt from the team's security policy.
Protection against administrative lockout
Mapvera warns administrators when a change to approved sign-in methods or two-factor requirements could immediately remove their own access. The policy may still be applied intentionally, but the warning helps prevent accidental lockout while preserving the organisation's ability to enforce its chosen security standard.
Data protection
Durable object storage
Published map files, uploaded assets and backup material are held in managed object storage designed for very high durability. Stored objects are encrypted, strongly consistent and protected through distributed storage, replication and redundancy.
Mapvera accesses storage through internal application bindings. The storage environment does not need to be exposed as a public administrative service for the application to retrieve or manage its files.
Managed serverless database
Structured platform data is held in a managed serverless SQL database rather than on a database server maintained directly by Mapvera. The database is accessed through authenticated internal application bindings and is not exposed to public visitors through an inbound database port.
Public users cannot connect directly to the database. Database operations must pass through Mapvera's server-side authentication, authorisation and application validation.
Point-in-time recovery and versioned backups
The managed database supports point-in-time recovery, allowing data to be restored to a specific point within the available recovery period. This helps protect against accidental deletion, incorrect changes, faulty deployments, application defects and administrative mistakes.
Mapvera supplements native recovery with automated versioned backups of database and object-storage content. Backup copies follow defined retention schedules and are separated from active production data. Recovery procedures are tested so backup assurance is based on successful restoration rather than simply the existence of backup files.
Operations
Controlled production access
Production access is limited to authorised personnel with a legitimate operational requirement. Access follows least-privilege principles, uses individually attributable accounts and requires strong authentication.
Administrative permissions are reviewed and removed when no longer required. Sensitive configuration and service credentials are kept outside public map files and separate from application source delivered to browsers.
Secure development and deployment
Mapvera follows controlled development and deployment practices. Application code is maintained in version control, changes are reviewed before release and deployments use authenticated automated workflows rather than direct manual editing of production systems.
Releases can be traced to their source revision, dependencies and configuration changes are assessed, and security updates are prioritised according to risk.
The serverless architecture further reduces operational exposure because Mapvera does not maintain public remote-access services, conventional web-server packages or customer-facing database servers.
Monitoring and security visibility
Mapvera monitors application health, error rates, authentication activity, infrastructure behaviour and security events. Alerts help identify abnormal conditions, suspicious access patterns, elevated failure rates and availability issues.
Relevant administrative and security actions are recorded to support accountability, investigation and incident response. Operational logs are restricted from ordinary team members and retained according to security, troubleshooting and legal requirements.
Vulnerability management
Mapvera maintains processes for identifying, assessing and addressing application vulnerabilities, dependency risks and configuration weaknesses. Managed firewall protections provide an additional layer against known and emerging attack techniques while application updates are assessed and deployed.
Security findings are prioritised according to their likely impact and exploitability, and suspected vulnerabilities can be reported through a responsible disclosure process.
Incident response and recovery
Mapvera maintains incident response and recovery processes covering detection, assessment, containment, investigation, remediation, restoration, communication and post-incident review.
Security events are assessed according to their potential effect on confidentiality, integrity and availability. Where an incident affects customer information, notification obligations are evaluated under applicable contractual, privacy and regulatory requirements.
Distributed edge delivery, static public maps, point-in-time database recovery, durable object storage and versioned backups support operational recovery and business continuity.
Privacy and assurance
Privacy and data protection
Mapvera is designed to collect and retain only the information reasonably required to provide, manage and secure the service. Access to personal information is restricted, retention periods are controlled and information can be corrected, exported or deleted in accordance with applicable requirements and contractual obligations.
Our privacy practices are informed by:
- The Australian Privacy Principles
- The European Union General Data Protection Regulation
- The California Consumer Privacy Act
- The California Privacy Rights Act
Privacy documentation, data-processing terms and relevant subprocessor information can be provided to organisations completing legal, security or procurement reviews.
Security standards and assurance
Mapvera's security practices are aligned with the principles of ISO/IEC 27001, the international framework for managing information-security risk, and ISO/IEC 27002, its supporting collection of practical security controls.
The underlying serverless infrastructure maintains independent security certifications and assurance reports, including SOC 2 Type II and ISO/IEC 27001.
SOC 2 Type II means the assessed controls were reviewed for their design and tested to determine whether they operated effectively over a defined period. Mapvera does not represent itself as independently SOC 2 audited or ISO certified unless expressly stated.
A shared and layered security model
Secure infrastructure provides the foundation, but infrastructure certification alone does not secure an application. Mapvera combines inherited network, runtime and storage protections with application-level identity enforcement, team roles, server-side authorisation, secure development, controlled deployment, monitoring, backup, recovery, vulnerability management, incident response and privacy practices.
The result is a layered security model covering the global network, serverless runtime, application, organisational access and stored data, while allowing published maps to load quickly from static edge content and remain available through Offline Mode after their initial load.
Need more security information?
Security, privacy and procurement documentation can be provided to organisations completing a formal review of Mapvera.