Security at Marai

Data protection

All personal data stored in Marai is encrypted with AES-256-GCM, the same standard used by banks and governments. This encryption is applied both at rest (data stored in the database) and in transit (data traveling between your browser and our servers).

Connections to Marai are protected with TLS 1.3, the most recent and secure version of the encryption protocol for web communications. This ensures no one can intercept the information you send or receive while using the platform.

Sensitive data (names, phone numbers, client emails) is encrypted individually before being stored. Not even our technical team can read them in raw form without the corresponding decryption keys.

Business isolation

Marai implements Row Level Security (RLS) at the PostgreSQL level. This means data isolation doesn't depend on application code, but on the database itself. Every query made by a business is automatically filtered so it can only access its own records.

In practice: a hair salon in Madrid can never see the data of a clinic in Barcelona, even if they share the same infrastructure. The isolation is absolute and operates at the level of every row in every table — over 80 tables protected with individual RLS policies.

This is the same model used by enterprise-level platforms like Supabase and Neon. It's not a "software filter" — it's a restriction at the database engine level that cannot be bypassed from the application.

Regulatory compliance

Marai complies with the three key data protection and digital services regulations in Spain:

Any user can request a complete data export or permanent deletion from their account settings. Deletion requests are processed within a maximum of 72 hours.

For data protection inquiries, you can contact our Data Protection Officer (DPO) at maraiagenda@gmail.com. More details in our privacy policy.

Secure payments

All payments in Marai are processed through Stripe, certified PCI-DSS Level 1 — the highest security level in the payments industry. Stripe processes over $1 trillion per year for companies like Amazon, Google and Shopify.

Marai never stores or processes credit card data. When a client pays a deposit or makes a booking, their card data travels directly to Stripe without passing through our servers. We never see the card number, expiration date, or CVV.

All transactions that require it are protected with 3D Secure (SCA), the European strong customer authentication standard that adds a second verification step to payments. This drastically reduces fraud and complies with the EU's PSD2 directive.

Infrastructure

Marai's data is stored on servers located in the European Union, complying with GDPR data residency requirements. There are no international data transfers outside the EU without adequate safeguards.

Access control

Marai uses JWT token-based authentication with httpOnly cookies, preventing malicious scripts from accessing session credentials. Tokens are automatically renewed and have a short expiration to minimize the impact of a compromise.

The permission system is granular and role-based:

On the Business plan, businesses can also enable single sign-on (SSO) to centralize identity management through their corporate provider.

Security roadmap

Security isn't a destination, it's an ongoing process. These are the next milestones on our roadmap:

Related resources