Security

Last updated: May 12, 2026

1. How we protect your data

  • Encryption in transit. All Maren traffic is served over HTTPS with HSTS preload, modern TLS, and a Content Security Policy that restricts where the browser can load code, styles, fonts, and connections from.
  • Encryption at rest. User data is stored in Supabase (Postgres) and Stripe with at-rest encryption managed by the platform.
  • Row-level security. Every table that holds user data has Postgres row-level security enabled. Application reads go through service-role connections that filter on user_id at the API layer; no anonymous read path exists.
  • Authentication. Email/password login is handled by Supabase Auth. Passwords are stored hashed; we never see or store the cleartext.
  • Payments. Stripe Checkout handles all card data. Maren never sees raw card numbers or CVCs; we only store the Stripe customer and subscription identifiers required to manage access.
  • Least privilege. Production credentials are scoped to the smallest set of operations they need. Admin access to the Supabase and Stripe consoles is restricted to the founder and audit-logged by the platforms.

2. Reporting a vulnerability

If you believe you have found a security issue affecting Maren, we want to hear from you. Please email security@joinmaren.com with a description of the issue, steps to reproduce, and (if relevant) proof-of-concept output. We will acknowledge receipt within two business days and aim to triage within five.

We ask that you:

  • Give us a reasonable window to investigate and remediate before any public disclosure.
  • Avoid accessing, modifying, or destroying data that does not belong to you; if your test would touch another account, please stop and report it instead.
  • Avoid denial-of-service testing, social engineering of Maren staff, or physical attacks on Maren infrastructure.

We do not currently run a paid bounty program, but we will acknowledge researchers who responsibly disclose meaningful vulnerabilities in this page's changelog with your permission.

3. Subprocessors and third parties

Maren relies on a small set of vendors for hosting, payments, and AI inference. The current list is documented in our Privacy Policy. Any change to this list will be reflected there before it takes effect.

4. Machine-readable contact

A signed security.txt file is published at the standard location for automated tooling.

See also our Terms of Service and Privacy Policy.