Maison Labs, Inc.

Security Measures

Updated Nov 5, 2025

1. Overview

Maison Labs, Inc. (“Maison,” “we,” “our”) implements and maintains industry-standard technical and organizational measures to safeguard all data processed on behalf of our hotel partners (“Clients”).

These measures are designed to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to data handled within the Maison platform and related services.

2. Security Governance

Maison maintains a documented Information Security Management System (ISMS) aligned with the principles of ISO 27001 and NIST SP 800-53.

Security responsibilities are defined across Engineering, Operations, and Compliance teams, and reviewed at least annually.

Maison employees complete mandatory security and privacy training and are bound by confidentiality obligations.

3. Data Classification and Access Control

  • All data handled by Maison is classified as Confidential by default.
  • Role-based access control (RBAC) restricts access to authorized personnel with a legitimate operational need.
  • Authentication requires strong passwords and multi-factor authentication (MFA).
  • Privileged accounts are logged and reviewed regularly.
  • Access rights are revoked immediately upon role change or termination.

4. Encryption and Network Security

  • Encryption in transit: All connections between Clients, hotels, and Maison systems use TLS 1.2 or higher.
  • Encryption at rest: All databases, storage volumes, and backups are encrypted using AES-256 or equivalent.
  • Network isolation: Production environments are segmented within private VPCs.
  • Firewalls and security groups restrict inbound/outbound traffic to necessary ports and protocols only.

5. Application Security

  • Source code is maintained in private repositories with branch protection, review, and audit logging.
  • Dependencies are continuously monitored for vulnerabilities using automated scanning tools.
  • Applications undergo routine static and dynamic security testing prior to deployment.
  • Maison adheres to a secure-by-design development lifecycle and conducts periodic threat-modeling sessions.

6. Infrastructure and Sub-processor Security

Maison’s infrastructure runs primarily on Amazon Web Services (AWS), benefiting from AWS’s certified data-center controls (SOC 2 Type II, ISO 27001, ISO 27017).
Monitoring and observability are provided by Datadog, also SOC 2 Type II certified.

AI inference and retrieval are handled by OpenAI and Pinecone, which operate under contractual Data Processing Agreements and maintain enterprise-grade security certifications.

Anonymous analytics are processed via Google Analytics 4 (GA4) under consent-mode configuration.

All Sub-processors are listed in Maison’s Sub-processor Policy.

7. Data Protection and Minimization

Maison’s platform is architected for privacy by design:

  • No personal identifiable information (PII) of hotel guests or end-users is collected or stored.
  • All logs and metrics are automatically redacted of potential identifiers.
  • Aggregated analytics and knowledge-base embeddings contain no human-identifiable data.
  • Encryption keys are managed securely using cloud-native key-management services (AWS KMS).

8. Monitoring, Logging, and Incident Response

  • Continuous monitoring and intrusion-detection alerts are active across production systems.
  • Security events are centralized and correlated via Datadog SIEM pipelines.
  • Maison maintains an Incident Response Plan (IRP) with defined severity levels, notification timelines, and escalation paths.
  • Any confirmed breach impacting Client data triggers immediate investigation and notification to affected Controllers in accordance with applicable law.

9. Business Continuity and Disaster Recovery

  • Regular, encrypted backups are performed and tested for restoration.
  • Systems are designed for high availability using redundant components and multiple availability zones.
  • A formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) are reviewed and exercised at least annually.

10. Vulnerability Management and Penetration Testing

Maison conducts routine vulnerability scans of its infrastructure and applications.
Independent penetration testing is commissioned at least annually, and remediation is tracked to completion.

Critical vulnerabilities are addressed in accordance with defined service-level timelines.

11. Review and Updates

Maison reviews these Security Measures annually and whenever significant platform, legal, or regulatory changes occur.

Updated versions will be posted at https://maison.cx/security and become effective on publication unless stated otherwise.

12. Contact

Maison Labs Security Office
📧 security@maison.cx
© 2026 Maison Labs, Inc. All rights reserved.
Terms & ConditionsData ProcessingPrivacy PolicyFAQ