Data Security & Privacy Policy

Learn how Mara handles data privacy and security

No credit card required

Protecting your data is Mara’s top priority

We leverage the security infrastructure and best practices of industry leading providers so you have access to the same level of security that billion dollar companies have

encrypted 1

Maximum Security

Built on the same high security server infrastructure used by LinkedIn, Twitter and Novartis

encrypted (1) 1

Encrypted Data

Industry standard data encryption to render compromised data unreadable to hackers

user

Data Privacy

We don’t store your credentials or any more than what is required to run your practice

gdpr 1

GDPR Compliance

We are based in Switzerland and have a moral and legal obligation to inform you of any data captured.

The security of your data is foundational to everything we do. The full terms of service can be found here. If you have any questions or concerns, please contact us at [email protected].

🚨Warning: important, unavoidable wall of text below. Sorry 🚨

Account Security

We work with a password security partner to ensure your Mara password meets the standards of state-of-the-art security. This means, passwords are never stored in clear text as they are encrypted using methods called “salting” and “hashing”.  Salting is a method where random bits added to each password instance before its hashing to create unique passwords even in the instance of two users choosing the same passwords. Salts help us mitigate hash table attacks by forcing attackers to re-compute them using the salts for each user.
Additionally, we are going to be extra difficult with you during account creation to reduce the probability of successful brute force password attacks (where an attacker repeatedly attempts to guess the password using some form of automation). You will be required to set more secure passwords as we will (1) require passwords longer than twelve characters and (2) and have a combination of UPPER CASE, lower case, digits (1,2,3) and characters (!#$).
 
We are planning to roll out 2-factor authentication as part of the roadmap, so stay tuned as we continually add security features to Mara.

Data Encryption Policy

Your data is encrypted when sitting idle in the AWS servers. This means that the data is unreadable & useless to someone who manages to break in and steal a copy of the data. Additionally, if you (sadly) choose to delete your Mara account, all your data will be completely and irreversibly deleted from our servers. All account data is destroyed, not just marked as inactive.
All data sent between your browser and Mara is secured using an encrypted connection which prevents any communication with our servers over an unsecured connection (HTTPS requirement on all pages, and HSTS connection). Additionally, “Content Security Policy” settings built into all browsers prevent certain types of attacks from being successful.

Account Deletion Policy

Should you (sadly) choose to delete your Mara account, all of your data is completely and irreversibly removed from the Mara database. We do not simply mark your account as inactive. We completely destroy all account data. (To be clear, you explicitly request this non-reversible deletion. If you happen to let your account lapse accidentally, we don’t assume you mean DESTROY ALL MY DATA. That’d be a horrible assumption.)

Data Retention Policy

We retain account data for a period of time after an account expires, whether through subscription expiration or account inactivity, unless you delete your account as described above.
Once an account has become inactive beyond the period of time described below, we will delete all its data – if you don’t need Mara, we don’t need your account data, and you probably don’t want us to have it. (Keep in mind that if you cancel your account, it remains active until the end of your subscription. The timeline below doesn’t start until that subscription expires.)
 
We will delete accounts and their data for inactive accounts or an expired subscription, a minimum of three years after the expiration of the subscription.
 
Although it remains your responsibility to ensure any data you want to keep gets exported from Mara, we will send you multiple, timely reminders before this non-reversible data deletion occurs.

10-year Client Data Retention

We are committed to ensuring the longevity of your client data stored with Mara. As we work very closely with Swiss therapists who have a legal obligation to store patient records for a minimum of 10-years, (1) we store the data in AWS servers in real time (ensuring all data on Mara is stored the second you hit the confirm button), (2) back up data to Swiss-based servers on a weekly basis (every Sunday) and (3) provide multiple-step warnings when permanently deleting something from Mara (still providing you full control of your data on Mara while reducing the chances of you deleting something you do not intend to).
 
While we are committed to Mara in a long term, sustainable manner, we should talk about what happens to your data if Mara ceases to exist (e.g. goes out of business, closes for whatever unforeseeable reason). The answer is very simple. We will provide you with plenty of notice, time and support to export your client data out of Mara before that occurs. We’ll probably also provide our best, informed recommendation on the next, best Mara alternative. We hope this day never happens, but this is our promise should that happen.

Platform Infrastructure

Our entire application is built on Bubble.io, which in turn is built on the technology of Amazon Web Services (AWS). This is the same technology trusted by government agencies (like the CIA) and billion-dollar companies like LinkedIn, Twitter, Novartis and Amazon (yes, of course they use their own servers). Amazon continually manages risk and undergoes recurring assessments to comply with industry standards.
 
Bubble security page is here. Bubble is built on Amazon Web Services, which is itself compliant with certifications such as:
  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)
 
Additionally, Mara benefits from all of Bubble’s security investments such as:
  • Automated code testing, vulnerability testing (including OWASP Top 10) and continuous monitoring technologies.
  • RDS’s AES-256 encryption to encrypt data at rest.
  • See for yourself the encryption Bubble uses for data in transit.

Payment Processing

We do not store any of your credit card information as we have chosen to use Stripe – one of the leading payment processing providers today. Millions of businesses of all sizes – from startups to large enterprises – use Stripe to accept payments, send payouts, and manage their businesses online. More on how Stripe handles security here.

GDPR & Swiss Data Protection Act

Any capture of personal data, such as name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR) and in accordance with the Swiss Data Protection Act (DPA). This means that you will always be prompted and notified about the information being captured and the exact reason the data is stored. The use of your data for any purpose other than those stated will be a breach of the European Union’s GDPR laws. And that is not something Mara will ever do. Mara will never sell your data and is funded by the subscription revenue only.