Security
Security & Compliance
Last updated: April 12, 2026
Research data is sensitive. This page describes how we protect it, and lists the third-party providers that process data on our behalf.
Related: Privacy Policy · Terms of Service
Data residency
All AI processing and primary data storage occurs within the European Union. Interview content sent to AI models is processed in the EU and is not retained by the model provider beyond the duration of the request.
Application hosting runs from an EU region. Where a sub-processor transfers data outside the EU or EEA, we rely on appropriate transfer mechanisms such as EU Standard Contractual Clauses (see the sub-processor table below).
Encryption
All data is encrypted in transit using industry-standard TLS and encrypted at rest using AES-256 through our infrastructure providers. Internal service-to-service communication is also encrypted.
Authentication & access control
- Customer authentication via email/password or Google OAuth, with secure server-side session management.
- Participant access uses high-entropy share links. No account or password required.
- Workspace data is isolated through multiple enforcement layers at both the application and database level.
Application security
- Comprehensive HTTP security headers including HSTS and framing protection.
- Distributed rate limiting to prevent abuse.
- Server-side input validation on all endpoints.
- The AI interviewer has no direct access to the database. All conversation data is controlled server-side.
- Webhook payloads are verified using cryptographic signatures.
Monitoring & privacy
We use error tracking and product analytics services to maintain reliability and improve the product. Personal data collection is disabled in error reports, and interview content, transcripts, and message text are explicitly blocked from analytics events.
Data redaction
Customers can redact sensitive content in interview transcripts. Redacted content replaces the original text in all exports and AI-generated analysis.
Responsible disclosure
If you discover a security vulnerability, we'd appreciate you letting us know responsibly. Contact us at security@maren.so and we'll respond promptly.
GDPR compliance
Maren is designed with GDPR compliance as a core requirement. We act as a data processor for customer research data and as a data controller for account and platform data. We offer Data Processing Agreements (DPAs) to customers on request.
Our standard DPA covers the processing activities described in our Privacy Policy and incorporates EU Standard Contractual Clauses for international data transfers.
Sub-processors
The following third-party service providers process data on our behalf. We maintain agreements with each sub-processor that include appropriate data protection terms.
| Provider | Purpose | Location |
|---|---|---|
| AWS | AI model inference | EU (Ireland) |
| Neon | Database hosting | EU (Frankfurt) |
| Vercel | Application hosting | EU (Dublin) + edge |
| Upstash | Infrastructure services | EU (Frankfurt) |
| Stripe | Payment processing | US (EU SCCs) |
| Deepgram | Speech-to-text transcription | EU |
| Resend | Transactional email | EU (Ireland) |
| PostHog | Product analytics (no PII) | EU |
| Sentry | Error monitoring (no PII) | EU |
We notify customers at least 14 days before adding a new sub-processor. If you have concerns about a sub-processor change, contact us at privacy@maren.so.
Contact
- Security inquiries: security@maren.so
- Privacy & DPA requests: privacy@maren.so
- General: hello@maren.so