MaintnSign in

Procurement

Data Residency Assurance

A one-page assurance for agency procurement and security review. Maintn is built Australian-first: Customer Data is stored in Australia by default.

Last updated: 16 June 2026

⚠️ Template — not legal advice.

This page is a working template provided for transparency while we finalise our documentation. It requires review by an Australian fintech/SaaS lawyer before it is relied on as a production legal document. Last updated: 16 June 2026.

Where Maintn data is stored and processed
LayerWhereRegion
Primary data store (DB, auth, storage)Supabase on AWS ap-southeast-2, SydneyAU
Edge cache / deliveryVercel AU edge (origin compute may run in the US)AU/US
Payment dataStripe Payments Australia Pty Ltd (AU entity of record)AU
Product analyticsPostHog EU Cloud, Frankfurt (consent-gated, no IP)EU
Data flow

Customer

Operator · team · agency · caller — HTTPS / TLS 1.2+

Vercel AU edge → origin compute (US)

Cache / CDN; stateless request handling, no primary storage

Supabase — PRIMARY (AU)

AWS ap-southeast-2 Sydney · DB · Auth · Storage · all Customer Data at rest · RLS isolation

Stripe AU entity

Payments · AU + global · no full card numbers stored by Maintn

Function-specific (US/EU)

Vapi · Twilio · Postmark · Sentry (US) · PostHog (EU) — transient, under SCCs/DPAs

How your data is protected

  • Tenant isolation via PostgreSQL row-level security — every query is scoped to your organisation; the organisation id is resolved server-side, never trusted from the client.
  • Encryption in transit (TLS 1.2+) and at rest; selected high-sensitivity fields encrypted at the application layer (AES-256-GCM).
  • Least-privilege access, audit logging of administrative actions, and automated security review on code changes.
  • Backups and point-in-time recovery via the managed database provider, within the AU region.

Cross-border processing

Where a function requires an overseas provider (voice AI, SMS, email, error monitoring, analytics), we rely on Standard Contractual Clauses or equivalent contractual protections consistent with APP 8. The full list, with regions and certifications, is on our Sub-processors page.

Certifications

The underlying providers hold industry certifications including SOC 2 Type II, ISO 27001 and PCI DSS (Stripe Level 1). See the Sub-processors page for the per-vendor position.

Procurement questions

Contact privacy@maintn.com.au for a security pack or to discuss AU-only processing requirements.