How we protect your data.
A plain-language summary of how Maison keeps hotel and guest data safe.
Tenant isolation
Maison is multi-tenant: many hotels share the same application, but not the same data. Every table that holds hotel or guest records is protected by database row-level security, enforced at the database itself. A request can only ever read or write rows that belong to the signed-in user's own hotel, so one hotel cannot see another's guests, bookings, or billing.
Authentication
Sign-in and accounts are handled by our authentication provider. Passwords are never stored in plain text; they are kept as secure hashes. Access inside a hotel is role-based, so front-desk staff, managers, and owners each see only what their role allows.
Payments
Subscription payments are processed by Stripe. Card numbers go straight to Stripe and are never stored on our servers, which keeps the most sensitive data out of our systems entirely.
Encryption
Traffic between your browser and Maison is encrypted in transit using HTTPS. Data held by our database and hosting providers is protected by their encryption and access controls.
Infrastructure
Maison runs on managed cloud infrastructure. Configuration and secrets are held as environment variables and are not committed to source code. We keep the number of providers small and use well-established ones: Supabase for the database and authentication, Stripe for billing, and a dedicated provider for email.
What we are still improving
We are honest about what is in progress. On our list are stricter rate limiting on public endpoints, enforcing account suspension mid-session rather than at next sign-in, and full self-serve account deletion. Progress is tracked on the roadmap.
Reporting a vulnerability
Found a security issue? Please email support@royalbengal.ai with the details and steps to reproduce. Give us a reasonable chance to fix it before disclosing it publicly. We are grateful for responsible reports.