Enterprise-grade protection for every API call, every stored credential, and every generated output.
MiniMax encrypts all data in transit with TLS 1.3 and all data at rest with AES-256, applying the same cryptographic rigor used by financial institutions.
Every API request travels over HTTPS. No plaintext HTTP endpoints exist. The platform enforces HTTP Strict Transport Security with a minimum max-age of one year. Forward secrecy ensures that even if a private key is compromised, past sessions cannot be decrypted. Internal service communication within the MiniMax infrastructure uses mutual TLS. Service identities are verified through X.509 certificates issued by an internal certificate authority with automated rotation.
Data at rest follows a layered encryption model. Storage volumes are encrypted with AES-256. Database files use transparent data encryption. Backups are encrypted before leaving the primary region. Encryption keys are managed through a hardware security module with access logging and automatic rotation every 90 days. The key management system is isolated from the application tier. Compromising an application server does not grant access to decryption keys.
This page documents the full security posture of the MiniMax platform. You will find encryption details, authentication protocols, compliance certifications, penetration testing schedules, and the incident response framework. Security teams evaluating MiniMax for procurement can reference the data table below for compliance status across each standard.
MiniMax supports OAuth 2.0 with Bearer tokens, multi-factor authentication enforcement, and role-based access controls with scoped API keys.
API authentication uses the OAuth 2.0 authorization framework. Clients present Bearer tokens in the Authorization header. Tokens are JWTs signed with RS256 and include standard claims for issuer, subject, expiration, and scope. Refresh tokens allow long-running services to obtain new access tokens without storing credentials. Token revocation is immediate and propagates across the distributed authorization service within 60 seconds.
Multi-factor authentication can be enforced at the organization level. Administrators toggle MFA requirements in the platform hub. Team members configure their preferred second factor — time-based one-time passwords through authenticator applications or hardware security keys supporting FIDO2. API keys are scoped per endpoint, per environment. A key provisioned for the chat completion endpoint cannot access billing data. Keys rotate on demand. The platform hub shows last-used timestamps for every key so administrators can identify and revoke unused credentials.
MiniMax maintains GDPR and CCPA compliance programs with data residency controls, processing agreements, and subject access request handling.
Customer data submitted through the API for inference is processed ephemerally. Model inputs are held in memory during the request lifecycle and purged upon completion. MiniMax does not store inference data or use it for model training unless a customer explicitly opts into a data-sharing program. Data residency controls let enterprises specify processing regions. European customers can restrict processing to EU-based data centers. Asia-Pacific customers can select regional endpoints that keep data within local jurisdictions.
Data Processing Agreements are available for enterprise accounts. Legal teams can request the DPA through their account representative. Subject access requests are handled within 30 calendar days per GDPR requirements. The privacy engineering team maintains a data inventory, conducts privacy impact assessments for new features, and reports metrics to the security compliance officer quarterly. External guidance from NIST AI RMF informs the privacy-by-design review process that every product change undergoes before deployment.
Independent third-party penetration tests run quarterly against the MiniMax production environment and all public-facing API endpoints.
Testing follows a structured methodology. Each quarter, an accredited security firm receives access to a staging replica of the production environment. Testing covers the OWASP Top 10, API-specific attack vectors including injection and broken object-level authorization, and infrastructure-level assessments of cloud configuration and network segmentation. Findings are triaged by severity. Critical vulnerabilities trigger an incident response process. The security engineering team patches critical findings within 24 hours of verification. High-severity issues are addressed within the current sprint cycle. Medium and low findings are tracked in the backlog with quarterly review.
Enterprise customers can request summary penetration test reports under NDA. These reports describe the testing scope, methodology, findings, and remediation status. The reports do not include raw vulnerability details that could expose attack surfaces. For customers with specific compliance requirements, MiniMax supports customer-led penetration testing against dedicated environments with prior coordination through the security team.
MiniMax holds SOC 2 Type II and ISO 27001 certifications, audited annually by independent firms with reports available under NDA.
SOC 2 Type II certification covers the security, availability, and confidentiality trust service criteria. The Type II designation means controls were tested over a sustained period, not just at a point in time. The audit evaluates logical and physical access controls, change management processes, system monitoring, and incident response procedures. ISO 27001 certification validates the information security management system against international standards. The ISMS scope covers all MiniMax services including the API platform, platform hub, and internal operations.
Certification reports are available to enterprise customers and prospects under non-disclosure agreement. To request a copy, contact your account representative or email the security team. The compliance program undergoes continuous monitoring between audit cycles. Control owners review their controls quarterly. The compliance dashboard tracks control effectiveness metrics and flags exceptions for management review.
MiniMax maintains a documented incident response plan with defined severity levels, escalation paths, and customer notification timelines.
Incidents are classified into four severity tiers. Severity 1 indicates a confirmed data breach or service-wide outage. Severity 2 covers potential data exposure or degradation affecting a subset of customers. Severity 3 involves non-critical control failures. Severity 4 captures near-misses and process improvements. The incident commander role rotates weekly across senior engineering staff. Any engineer can declare an incident by paging the on-call commander through the emergency response channel.
Customer notification follows the incident classification timeline. Severity 1 incidents trigger notification within 72 hours of confirmation with follow-up updates every 24 hours until resolution. A public postmortem is published within 10 business days. Postmortems describe the timeline, root cause, remediation steps, and preventative measures. The process aligns with guidelines from the U.S. Department of Education cybersecurity framework for institutions handling sensitive data. No blame is assigned. The goal is system improvement.
The following table summarizes each compliance certification held by the MiniMax platform, its current status, and what it covers.
| Standard | Status | Description |
|---|---|---|
| SOC 2 Type II | Active | Annual audit covering security, availability, and confidentiality trust service criteria over a sustained period |
| ISO 27001 | Active | Information security management system certification validating controls across all MiniMax services |
| GDPR | Compliant | Data processing agreements, data residency controls, subject access request handling, and privacy impact assessments |
| CCPA | Compliant | Consumer data rights management including opt-out mechanisms and data inventory maintenance |
| NIST AI RMF | Aligned | Risk management framework alignment for AI systems covering governance, mapping, measurement, and management |
| PCI DSS | Compliant (SAQ-A) | Payment processing handled through certified third-party providers; platform meets SAQ-A requirements |
"Our security review team was thorough. They examined the SOC 2 reports, the encryption architecture, and the incident response documentation. MiniMax passed without exceptions. The quarterly penetration test reports and the data residency controls were decisive. We integrated within two weeks and our compliance team signed off on the first review cycle."
— Amelia Y. Park, Creative Director, PixelForge Studio, Los Angeles
MiniMax encrypts all data in transit using TLS 1.3 with forward secrecy. Data at rest is encrypted with AES-256. API traffic between client applications and MiniMax endpoints is protected by HTTPS exclusively, and the platform enforces HSTS with a minimum max-age of one year. Internal service communication within the MiniMax infrastructure uses mutual TLS for service-to-service authentication, with certificates issued and rotated automatically by an internal certificate authority.
MiniMax supports OAuth 2.0 with Bearer token authentication for API access. Organizations can enforce multi-factor authentication for all team members through the platform hub. Role-based access controls let administrators define fine-grained permissions for viewing usage data, managing API keys, and configuring billing. API keys can be scoped to specific endpoints and rotated on demand. Token revocation propagates across the distributed authorization service within 60 seconds.
Yes, MiniMax maintains GDPR and CCPA compliance programs. Customer data used for inference is not stored or used for model training unless explicitly opted into. Data residency controls let enterprises select processing regions to meet regulatory requirements. Data subject access requests are handled within regulatory timeframes. A Data Processing Agreement is available for enterprise customers upon request through their account representative.
MiniMax undergoes independent third-party penetration testing on a quarterly basis. Testing covers the OWASP Top 10, API-specific attack vectors, and infrastructure-level assessments. Critical findings are patched within 24 hours of verification. High-severity issues are resolved within one sprint cycle. Summary reports are available to enterprise customers under NDA, and customer-led penetration testing against dedicated environments is supported with prior coordination.
MiniMax holds SOC 2 Type II certification, ISO 27001 certification, and maintains compliance with the NIST AI Risk Management Framework. The SOC 2 audit covers security, availability, and confidentiality trust service criteria over a sustained period. ISO 27001 validates the information security management system. PCI DSS compliance is maintained through certified third-party payment processors. Compliance documentation is available for enterprise security reviews upon request.