Built for the data you'd
never want leaked.

MapleNorth runs on a modern, audit-friendly stack with all production data hosted in the European Union:

• Database: Managed PostgreSQL via Supabase (EU region). Point-in-time recovery for 7 days. Automated daily snapshots.
• Application backend: FastAPI deployed behind HTTPS-only endpoints with auto-renewing certificates.
• Frontend & edge: Vercel with automatic HTTPS via Let's Encrypt, HTTP/2, and edge caching for static assets.
• No customer data in source control. Secrets live in deployment environment variables only.

• In transit: TLS 1.2 or higher for every request to maplenorth.org, our API, and the database. Insecure HTTP is auto-redirected.
• At rest: AES-256 disk encryption on the database (Supabase default) and on all storage volumes hosting application logs.
• Passwords: Hashed with bcrypt by Supabase Auth — your password never touches MapleNorth's codebase or logs in cleartext, ever.
• API tokens: Issued as signed JWTs with short expirations; refreshed via Supabase's refresh-token flow.

• Sign-in: Email + password via Supabase Auth, or OAuth (Google) when enabled.
• Session tokens: JWTs validated server-side on every API request. We never accept tokens we haven't verified.
• Service keys: Supabase service-role keys are stored only in server-side environment variables. They never leave the backend, never appear in client bundles, and never get logged.
• Internal access: Only the founder has production database access today. As the team grows, access will be issued on a least-privilege basis with audit logs.

Every table holding customer data has PostgreSQL Row-Level Security (RLS) enabled. RLS policies are enforced by the database itself — not application code — so a bug in the API can't accidentally leak another user's rows.

Concretely, every properties, bookings, message_threads, and messages row carries a user_id that's checked against the authenticated session at query time.

Inbound webhooks from third parties (Resend Inbound, Meta WhatsApp Cloud API) are signature-verified before any database write:

• Email (Resend / Postmark / SendGrid): HMAC-SHA256 verification against a provider-issued signing secret.
• WhatsApp (Meta Cloud API): X-Hub-Signature-256 verification against our Meta App secret.
• Deduplication: Every inbound message is keyed by provider message ID; replays are silently dropped at the database constraint level.

• Active accounts: Data is retained while your account is active.
• Closed accounts: All personal data is deleted within 30 days of account closure, except where law requires retention (e.g., invoice records under tax law).
• Guest data: Booking history and message threads tied to deleted properties are anonymized after 90 days.
• Backups: Encrypted snapshots are retained for 7 days then rotated.
• GDPR rights: Export, correction, and deletion requests can be sent to privacy@maplenorth.org — we respond within 30 days.

If we detect or are notified of a security incident:

1. The on-call engineer (currently the founder) is paged within minutes.
2. Affected systems are isolated; access tokens are rotated.
3. Root cause is identified and a fix is deployed.
4. Affected customers are notified by email within 72 hours of confirming the incident, with what data was involved and what we've done about it.
5. A post-incident write-up is published at /security/incidents when applicable.

We have not had a reportable incident to date.

We're being deliberately transparent about what's in place today vs. what we're building toward. No security theater.

Found something? Please tell us before posting publicly. We're a small team and we'll respond fast.

Machine-readable contact at /.well-known/security.txt.