MaisonBack to site
Security

How we protect your data.

A plain-language summary of how Maison keeps hotel and guest data safe.

Last updated July 11, 2026.

Tenant isolation

Maison is multi-tenant: many hotels share the same application, but not the same data. Every table that holds hotel or guest records is protected by database row-level security, enforced at the database itself. A request can only ever read or write rows that belong to the signed-in user's own hotel, so one hotel cannot see another's guests, bookings, or billing.

Authentication

Sign-in and accounts are handled by our authentication provider. Passwords are never stored in plain text; they are kept as secure hashes. Access inside a hotel is role-based, so front-desk staff, managers, and owners each see only what their role allows.

Payments

Subscription payments are processed by Stripe. Card numbers go straight to Stripe and are never stored on our servers, which keeps the most sensitive data out of our systems entirely.

Encryption

Traffic between your browser and Maison is encrypted in transit using HTTPS. Data held by our database and hosting providers is protected by their encryption and access controls.

Infrastructure

Maison runs on managed cloud infrastructure. Configuration and secrets are held as environment variables and are not committed to source code. We keep the number of providers small and use well-established ones: Supabase for the database and authentication, Stripe for billing, and a dedicated provider for email.

What we are still improving

We are honest about what is in progress. On our list are stricter rate limiting on public endpoints, enforcing account suspension mid-session rather than at next sign-in, and full self-serve account deletion. Progress is tracked on the roadmap.

Reporting a vulnerability

Found a security issue? Please email support@royalbengal.ai with the details and steps to reproduce. Give us a reasonable chance to fix it before disclosing it publicly. We are grateful for responsible reports.