Skip to content
Security Engineering

How We Think About Security at Miru

Encryption, authentication, role-based access, open source auditing, and self-hosting. How Miru protects your billing data.

Vipul A M Vipul A M · · 3 min read
Billing
Miru invoicing screen with invoice status and totals
This article is currently written in English. Navigation, dates, and calls to action follow your selected language.

How We Think About Security at Miru is straightforward once you stop adding process theater.

Encryption, authentication, role-based access, open source auditing, and self-hosting. How Miru protects your billing data. We write from operating experience, not trend-chasing.

Encryption Is Table Stakes

Miru dashboard

All data in transit uses TLS 1.3. All data at rest is encrypted with AES-256. Database backups are encrypted. This isn’t a feature we’re proud of. It’s the minimum. Any product handling financial data that doesn’t do this in 2026 isn’t paying attention.

PostgreSQL with automated daily backups and point-in-time recovery. We can restore to any point in the last 30 days. Backups are stored in a separate geographic region from the primary database. If the data center catches fire, your data survives.

Authentication That Doesn’t Annoy People

Session-based authentication with secure token rotation. We deliberately chose sessions over JWTs for the web app because sessions can be invalidated server-side immediately. If an account is compromised, we revoke the session and it’s done. No waiting for a JWT to expire.

OAuth via Google for teams that already use Google Workspace. One less password to manage.

The CLI uses dedicated bearer tokens. You generate a token from the automation settings page, scope it to your account. It’s separate from your session. You can revoke it without logging out of the web app. If a CI/CD script gets compromised, you revoke that one token and nothing else is affected.

Five Roles, Least Privilege

Admin, Owner, Book Keeper, Employee, Client. That’s it.

Every role sees only what it needs. Employees track time and submit expenses. They can’t see client billing rates. Book keepers manage invoices and payments. They can’t modify team settings or delete projects. Clients see their own invoices and nothing else.

We didn’t build a 47-row permission matrix with checkboxes. We sat down and asked: for each role, what’s the minimum set of things they need to do? That’s what they can access. Everything else is hidden, not just disabled.

Open Source Is a Security Feature

Most security pages say “we take security seriously” and leave it at that. You’re supposed to trust them. With Miru, you don’t have to trust us. You can verify.

Every line of code is on GitHub. The authentication logic. The authorization checks. The database queries. The API endpoints. All of it. If there’s a vulnerability, anyone can find it, report it, and submit a fix.

This isn’t security through obscurity. It’s the opposite. We’re betting that transparency makes us more secure, not less. The open-source community has found and fixed bugs in Miru that our internal team missed. That’s the model working as intended.

Self-Host for Maximum Control

If your compliance requirements say “no third-party data processors,” self-host Miru. Your servers, your database, your network. Nothing leaves your environment.

Deploy with Docker in minutes. Full setup guides for macOS, Ubuntu, Windows, and Docker Compose in the docs. You get the same product. You control the infrastructure.

For regulated industries — healthcare, finance, government contracting — self-hosting eliminates an entire category of compliance risk. No vendor security questionnaires. No data processing addendums. Your data never touches our servers.

Responsible Disclosure

Found something? Email security@saeloun.com. We respond within 24 hours. We investigate immediately. We credit researchers in our security advisories.

We don’t have a bug bounty program yet. We’re a small team and we’d rather put that budget into engineering. But we take every report seriously and fix vulnerabilities fast.

SOC 2 Type II is in progress. GDPR compliant. Data processing addendum available on request.

Read the full details on our security page.

Set up 2FA for your account →

Hard Stop

Run this loop for two weeks without skipping cleanup. The compounding effect is real.

Start with Miru or read the docs.

Share:
Vipul A M

Vipul A M

Co-founder at Saeloun. Building Miru. Rails contributor. Shipping from Pune, India.

Read next

AI Engineering

How We Use gbrain to Build Miru

How Saeloun uses gbrain, gstack, Codex, Claude, MCP, and repo signals to build Miru with memory, safer AI automation, and proof before claims.

Security Product

Miru Now Supports 2FA: Authenticator Apps and Passkeys

Your Miru account just got a lot more secure. TOTP authenticator apps and passkey sign-in are live today.

Engineering AI

How We Track Time with AI Agents and the Miru CLI

A practical guide to automated time tracking for teams using Claude Code, Codex, and other AI coding tools. Real workflows, real scripts, zero browser tabs.

Put it to work

Run one cleaner billing cycle in Miru.

If this article is about tracking time, billing clients, comparing tools, or automating work, Miru is the product version of that idea. Start free, invite the team, and send the next invoice from tracked work.

Start free See pricing

What you get

  • Time tracking, invoices, expenses, and payments in one place.
  • Free for up to 5 users. Pro is $1/member/month.
  • Open source, with CLI, API, MCP, and self-hosting paths.
See Miru

The article is the argument. Miru is the workflow.

Track the work, approve the hours, send the invoice, and get paid without bolting together three separate tools.

Start Tracking Free Explore Features
Billing
Miru invoicing screen with invoice status and totals
Invoicing Miru