Security

Your data is protected.

Maia is built on enterprise-grade infrastructure with encryption at every layer. We're transparent about how your data is stored, processed, and protected.

Infrastructure Security

Maia is deployed on Vercel, which maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications. The underlying infrastructure runs on AWS with automatic DDoS mitigation, Web Application Firewall (WAF) protection, and global edge network distribution.

Data Encryption

All data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption. This applies to database records and extracted course text. Original uploaded files are discarded after parsing. Encryption keys are managed through cloud provider key management services with access logging.

Authentication & Access Control

Users authenticate via Google SSO or single-use email magic links: no passwords are ever stored. Sessions expire server-side and can be revoked from any device ("Sign out everywhere"). Role-based access control (admin, instructor, learner) limits data exposure to what each role requires, and every admin action is recorded in an append-only audit log.

AI & Your Content

Maia’s AI tutoring is powered via API access to language models. Your data (conversation transcripts, uploaded documents, learning progress) is never used to train AI models. Content is isolated per organization and per user. Conversations and uploaded materials from one organization are never accessible to another.

Payment Security

All payment processing is handled exclusively by Stripe, a PCI DSS Level 1 Service Provider. Maia never stores, processes, or transmits credit card data. Payment information is entered directly on Stripe’s hosted checkout page.

Document Storage

Uploaded training materials (PDFs, DOCX, PPTX) are parsed server-side during upload and the original files are discarded: we retain only the extracted text needed to generate and cite courses, stored encrypted and scoped to the uploading organization. One tenant’s content is never accessible to another.

Privacy & Data Governance

Maia follows GDPR-aligned data practices. Organizations can request data export or deletion for their users. We process only the data necessary to deliver the service. A list of subprocessors is available on request.

Built on certified infrastructure

Vercel

Hosting & compute

SOC 2 Type II, ISO 27001, PCI DSS

Stripe

Payments

PCI DSS Level 1, SOC 1 & 2 Type II

PostgreSQL

Database

Managed hosting with automated backups, AES-256 at rest

Straight answers

The questions security reviews actually ask: answered plainly, including where we're not there yet.

Where is our data stored?

In the United States, on Vercel (compute) and a managed PostgreSQL provider (data), both encrypted at rest. We do not currently offer regional data residency options.

Is our data used to train AI models?

No. Never by us, and not by our AI providers, who are contractually restricted from training on API data.

Do you sign DPAs?

Yes. A GDPR-aligned data processing agreement with our subprocessor list is available on request for team and enterprise customers.

Do you support MFA?

Sign-in is via Google SSO or single-use email links. No passwords exist to phish. If your Google Workspace enforces MFA, that applies to Maia sign-in automatically. Native in-app MFA is on our roadmap.

Do you have your own SOC 2?

Not yet. We run on SOC 2 Type II certified infrastructure (Vercel, AWS, Stripe), and our own certification is planned. Happy to walk through our controls in the meantime.

Who are your subprocessors?

Vercel, a managed PostgreSQL provider, xAI (language models), ElevenLabs (audio), AWS SES (email), Stripe (payments), and Google (SSO). Details in our privacy policy.

Responsible disclosure

Found a security issue? We take reports seriously and respond within 48 hours. Please email us with details.

security@maia.study

Have specific security questions? We're happy to discuss your requirements.