Security at Marai
Protecting your business and client data isn't just another feature. It's the foundation we build everything else on.
AES-256-GCM
Encryption at rest and in transit
TLS 1.3 · encrypted backups
82 RLS policies
Per-business isolation
Row Level Security · PostgreSQL
PCI-DSS L.1
Certified payments via Stripe
Stripe Radar · 3DS2 SCA
0 vulnerabilities
Code audit — March 2026
97 files · 0 issues
Your data, protected like a bank vault
We use the same encryption technology as banks and governments. In plain terms: your information is completely private and inaccessible to anyone outside your business.
Native GDPR
Data stored on European servers (EU). Full compliance with GDPR, the Spanish LOPDGDD and LSSI-CE. Explicit consent, right to erasure and data portability in under 72 hours.
AES-256 Encryption
All personal data is encrypted with AES-256-GCM — the same standard used by banks and governments. Connections protected with TLS 1.3. Not even our team can read the raw data.
PCI-DSS Payments
Payments processed exclusively by Stripe, certified PCI-DSS level 1 (the highest in the industry). 3D Secure authentication and SCA/PSD2 compliance. Marai never stores or processes card data.
Row Level Security
Isolation implemented directly in PostgreSQL. Over 80 tables with individual RLS policies. One business can never access another's data — guaranteed by the database, not the code.
Per-business data isolation
In Marai, every business has its own protected, independent space. Your clients, appointments and information are strictly yours — no other business can access them, not even by mistake.
"A business in Madrid can never access data from one in Barcelona, even if both share the same infrastructure."
Guaranteed by the database, not by code
Isolation is declared directly in PostgreSQL. It's not a promise in the code — it's a restriction the database engine itself enforces on every query, without exception and with no way to bypass it.
No error can cross the boundaries
No programming bug, no edge case, no vulnerability can make one business's data visible to another. The system automatically rejects any cross-boundary access attempt.
The standard of the most demanding platforms
Row Level Security is the same isolation model used by enterprise-level platforms like Supabase. Marai implements it across 80 tables with 82 individual security policies active at all times.
Regulatory compliance
Marai complies with the data protection and digital services regulations applicable in Spain and the European Union:
GDPR — Regulation (EU) 2016/679 of 27 April 2016
You have full control of your data. You can ask us what we store, correct it, or have it all deleted — within 30 days.
View full legal text
Explicit and documented legal basis for each data processing activity (arts. 6 and 7 GDPR). Effective exercise of rights of access, rectification, erasure, portability and objection (arts. 15–21 GDPR). Record of Processing Activities maintained pursuant to art. 30 GDPR. Data is hosted exclusively in the European Union. No international transfers to third countries are carried out without the safeguards provided in arts. 44–49 GDPR.
LOPDGDD — Spanish Organic Law 3/2018 of 5 December
The same European law applied in Spain, with additional protections. Under-14s need parental consent to use digital services.
View full legal text
Spanish adaptation of GDPR. Compliance with the additional provisions of the LOPDGDD: processing of data of minors pursuant to art. 7 (digital consent from age 14), digital rights under Title X (right to digital disconnection, privacy in the workplace, right to be forgotten on social networks), and data blocking and deletion timelines.
LSSI-CE — Spanish Law 34/2002 of 11 July
The law regulating online shops and services in Spain. It requires us to tell you exactly who we are, what we sell, and how it works before you sign up for anything.
View full legal text
Compliance with obligations for information society service providers: complete legal identification of the service provider, general terms of service, differentiation of commercial electronic communications, cookie policy with granular consent and the ability to withdraw consent at any time.
PSD2 — Directive (EU) 2015/2366 of the European Parliament and of the Council
The European law that makes online payments safer. When you pay by card, your bank asks for a code or fingerprint to confirm it's you. Without that confirmation, no charge can go through.
View full legal text
Strong Customer Authentication (SCA) implemented via 3D Secure 2 (3DS2) through Stripe for all consumer payments in the European Economic Area. Compliance with art. 97 PSD2 and the Regulatory Technical Standards (RTS) published by the European Banking Authority (EBA) on authentication and secure communication.
Secure payments with Stripe
All payments in Marai are processed through Stripe, certified as a PCI-DSS Level 1 Service Provider — the most demanding certification level of the Payment Card Industry Data Security Standard. Stripe is audited annually by an independent Qualified Security Assessor (QSA).
Marai never stores, processes or transmits payment card data. The customer's card details (PAN, expiry date, CVV) are encrypted directly in the user's browser using Stripe's public key via Stripe.js, and travel exclusively to Stripe's servers without passing through Marai's servers at any point. What Marai receives is solely a payment method identifier (PaymentMethod ID) that references the tokenised card without exposing it.
Transactions that require it are processed with 3D Secure 2 (SCA), mandatory in the European Economic Area under the PSD2 Directive. Marai has Stripe Radar enabled — Stripe's AI-based fraud detection engine — which evaluates every transaction in real time and blocks suspicious payments before they are authorised. Events sent by Stripe to Marai via webhooks are verified with an HMAC-SHA256 signature to guarantee their authenticity and integrity.
Infrastructure and network
Marai's data is stored on servers located exclusively in the European Union, complying with GDPR data residency requirements (arts. 44–49). No international data transfers outside the European Economic Area are carried out without adequate safeguards (European Commission Adequacy Decisions or Standard Contractual Clauses).
Cloudflare WAF, CDN and DDoS protection
- WAF with custom rules: diagnostic route blocking
- Geographic challenge (Spain, LATAM, EU, USA)
- Bot Fight Mode active
- DDoS — High sensitivity, Block response mode
- Malicious traffic stopped at Cloudflare's edge network
Full DNS security
- DNSSEC enabled for maraiagenda.com
- SPF: v=spf1 include:_spf.google.com -all
- DMARC: p=reject, adkim=s, aspf=s + active monitoring
- CAA: only Let's Encrypt and DigiCert can issue TLS
Encrypted backups
- AES-256 encryption + automatic backup every 24 hours
- 30-day retention
- RPO (max data loss): 24 hours
- RTO (recovery time): under 60 minutes
- Geographically separate storage from production
Rate limiting and continuous monitoring
- 10 requests / 10 seconds on sensitive endpoints
- Authentication attempt limits per IP and per account
- Automatic brute force attack protection
- Alerts on latency, error rate, and unusual access anomalies
Code and application security
In March 2026 we ran a full audit of our entire application. 97 files reviewed, 0 vulnerabilities found. These are the controls we keep permanently active:
No malicious code or backdoors
We automatically scan our entire application to ensure no malicious code can run on our servers. Every change we publish goes through this check before going live. Last audit result: 0 issues detected across 97 files reviewed.
Only Marai's code runs in your browser
We maintain an allowlist that authorises only the code we publish. Any attempt to inject external code — whether from an attacker or an unauthorised third party — is automatically blocked by the browser. This protection is regenerated with every new release and independently verified.
Forms protected against bots and fraud
Every message you send from our website goes through four verification layers: we check it's not a bot, that the submission time is realistic, that the data is correctly formatted, and that you have given your consent. Automated attempts are blocked before reaching our servers.
Zero vulnerabilities in the components we use
Every application relies on third-party components. We continuously monitor every one we use to detect any published security flaw. Last review result: 0 vulnerabilities detected. Additionally, all external links are configured to prevent leaking any session data when clicked.
Access control and session management
Secure and SameSite=Strict attributes. httpOnly cookies are inaccessible to any JavaScript running in the browser, eliminating the XSS attack vector for credential theft. Tokens have a short expiration and are renewed automatically in the background to maintain the session without exposing the token for extended periods.The permission system is granular and role-based, reinforced by the 82 RLS policies in the database that act as a second, application-code-independent control layer:
Owner
Full access: business configuration, team management, billing, global reports and all platform features. The only role with access to the business's financial data.
Professional
Access strictly limited to their own calendar, the appointments they manage and the clients assigned to them. No access to business financial data or to other team members' information.
Read-only
View-only access with no ability to create, modify or delete any record. Designed for supervisors or external auditors who need visibility without intervention capability.
Session management is handled entirely from the app.maraiagenda.com domain via first-party cookies, with no dependency on external identity providers for primary authentication.
Security roadmap
Security is a process of continuous improvement. The next planned milestones on our roadmap are:
SOC 2 Type II (planned — 2027)
External and independent audit of our security, availability, processing integrity and confidentiality controls, carried out by an accredited CPA firm. The SOC 2 Type II report covers a minimum of 6 months of operation with controls in place.
ISO/IEC 27001 (under evaluation)
International standard for Information Security Management Systems (ISMS). We are evaluating the scope of certification, the applicable Annex A controls for our operations and the implementation timeline with an accredited certification body.
Responsible vulnerability disclosure policy (in development)
Publication of a Responsible Disclosure Policy allowing external security researchers to report vulnerabilities in a coordinated manner without legal risk. It will include a dedicated channel via security.txt (RFC 9116) with a contact mailbox and committed response times.
Two-factor authentication (2FA) for owners (planned)
Second authentication factor via TOTP (compatible apps: Google Authenticator, Authy, 1Password) for owner accounts. Adds an additional layer of protection against password theft or leakage.
Related resources
Your data, protected from day one.
No security setup required. No extra costs. GDPR, AES-256 encryption, per-business isolation and PCI-DSS payments included in every plan, including the free one.