Maesn data security: No data storage keeps your customers' data secure

Security in Business Software

Security in business software is not an afterthought you bolt on later. It’s a series of architectural decisions made early and lived by every day. This is sometimes referred to as security by design. Similarly, the concept of privacy by design refers to the conscious process of building in privacy for the end users of a system from the very start. At Maesn we have made those decisions deliberately and we believe you deserve to know exactly what they are.

This post will talk about how our unified API's built and what certifications we have to back our claims, but it will also be honest about the parts that are not yet in place.

‍

Maesn Follows a Strict No-Storage Architecture

Many integration platforms silently become secondary databases for your business data. They cache records, sync data forperformance and store copies of files for “convenience”. Each new system ordatabase that stores your or your customers’ data is a liability, a new threatvector, an increase in audit scope, another entry in your data processingagreement and a potential GDPR headache. Maesn never stores your customers’ data. We operate a no-storage architecture:

• Every API request is made live to the source, data is transformed in memory, and the response is delivered toyour system and your system only.
• Unlike other actors, we do not accumulate any shadow-copy of your accounting records, neither for increasingperformance nor for training AI models. We do maintain operational logs, whichis necessary for diagnosing issues, monitoring platform health and supportingyou if something goes wrong.
• All our logs are transient by design, they reside in our Microsoft Azure data center in Frankfurt, areencrypted at rest and are automatically purged after 90 days.

Unlike other integration providers, Maesn does not accumulate any shadow copy of your accounting records. Not for performance, not for training AI models, not for any other purpose.

We do maintain operational logs, which is necessary for diagnosing issues, monitoring platform health and supporting you when something goes wrong. All logs are transient by design: they reside in our Microsoft Azure data center in Frankfurt, are encrypted at rest and are automatically purged after 90 days.

No stored data means no data loss, no audit scope and no migration when you leave

If we do not store your data we can’t lose it, there is no secondary database for an attacker to target, no additional scope for your auditors to cover, and if you one day decide to leave us, there is no migration project needed. Your customers’ data belong to you and your customers. Not us.

‍

Encryption in Maesn Unified API: All ERP Integration Data Always Protected

All data stored in the Maesn API, including logs and credentials, are encrypted at rest using 256-bit AES encryption. There is no unencrypted data on disk anywhere in our infrastructure.

All communication with Maesn uses HTTPS, so data moving between your systems and ours is always encrypted in transit. In addition, all internal traffic within our infrastructure uses HTTPS. We do not allow any plaintext communication.

Integration data remains encrypted at rest and in transit

Our tenants and their end users can rely on that even in the event of a data breach, whether it is attackers eavesdropping on the network or stealing physical disks in a data center, the data is encrypted at rest as well as in transit.

‍

EU-Only Hosting: Where Your Unified API Data Lives

Every component of Maesn’s infrastructure runs within the European union. We host exclusively on Microsoft Azure in data centers in Frankfurt, Germany and Amsterdam, the Netherlands. That’s it. No other cloud providers. No third-party tools reading your data and shipping it elsewhere. No subcontractors or data processors beyond Microsoft. No data leaving the EU.

Know exactly where data goes and it will never change without your knowledge

For business operating under GDPR, or with customers who simply expect their data to stay in Europe, this is not a minor detail. It means that you can tell your customers which routes their data take from their bookkeeping system to your platform – and know that the answer won’t change without your knowledge.

‍

Anonymous by Design: No PII stored in Our Unified API Application Layer

The application layer of our API does not store or process personally identifiable information (PII) in clear text. Tenants and the end users of tenants are represented by internal IDs throughout our system – not names, not email addresses, no recognizable user data.

All identifiers are always anonymized

This means that even if someone gained access to our internal systems, they would encounter anonymized identifiers, not a directory of your users’ personal information. Privacy is built into the core design of our API, not added as an afterthought.

‍

Secure Software Development Life Cycle (SSDLC)

Security is integrated throughout our wholesoftware development life cycle, from requirements engineering and design, to development, testing and operations.

• Every change is peer-reviewed by a human on our team
• Every build is automatically subjected to static and dynamic analysis
• Every build has strict quality gates including test coverage requirements
• All code is deployed to staging environments and regression-tested through comprehensive end-to-end suites
• Containers and cloud infrastructure are automatically scanned for security gaps

Continuous testing to ensure the highest security level for you

Continuous analysis, testing and scanning makes sure that vulnerabilities are identified at an early stage, before it can be deployed into production.

‍

Environment Separation: Test and Production Strictly Isolated

We provide our tenants with multiple API keys, which allows them to operate with multiple environments and strict separationof data and access. For example, a tenant would typically have:

• One API key for test and development, configured with client credentials for sandbox environments. This API key is freely distributed among developers and testers
• A separate API key for production, with client credentials for official apps published in various vendors app marketplaces. Typically, this API key is only accessible by selected DevOps personell.

At Maesn we apply the exact same principle internally, strictly separating and isolating development, test and production environments from each other. Our environments run on fully segregated hardware, so that our test data is never stored in the same table, file storage or database as our production data.

A leaked credential stays contained to one environment

If a credential should leak, its reach is limited to a single environment. This dramatically lowers the impact during development and testing. On the other hand, being able to distribute credentials for test environments more freely, means that the development environment can be freed from unnecessarily strict access controls to maintain development speed.

‍

ISO 27001 & GDPR Certified Unified API

Maesn has achieved  ISO 27001 certification, the internationally recognized standard for information security management. It is not a self-assessment, but an independent audit of processes, controls and risk management practices. A recognized third party has verified that how we handle information security matches what we say we do.

We are also fully GDPR compliant. For our European customers and anyone whose customers are in the EU, this matters. Rest assured that there is no compliance grey zone when using our API.

Because our Unified API doesn't store your data, our security risk footprint is fundamentally smaller than platforms that do

Information security certifications provide confidence in process maturity, but at the end of the day it is the architecture of the system you integrate that determines the risk. Since our unified API does not store your customers’ data, our information security risk footprint is significantly smaller than systems that create shadow copies ofyour data base.

All reports and controls are accessible through our Trust Center. For a full overview of our security posture, visit our Security page.

‍

What We Do Not Yet Offer

We believe in being transparent about the limits of our security posture, not just our strengths.

For the moment, we do not provide the option of bring-your-own secrets storage. This means that we do not currently support integrating your own secrets vault (such as Azure Key Vault) for managing credentials. All secrets management is handled internally by Maesn. We do not currently conduct regular penetration tests. This is something we plan to address as the platform matures. If this isa hard requirement for your organization, talk to us. Last, but not least, we are currently not SOC 2 certified. The ISO 27001 is a global certification, butwe are aware that SOC 2 has special relevance for some of our US customers.

‍

Seven Questions to Ask Any Integration Vendor During Security Evaluation

A check list for evaluating vendors and uncovering hidden security risks:

1.    Do you store or cache customer data? If yes, how long is it stored? Is the data encrypted at rest?

2.    Where is your solution hosted and where is data stored?Are there subcontractors or data processors that process or store data in other locations than your main hosting location? Think log aggregators, identity andaccess management solutions, analytics tools, AI applications, etc.

3.    Can I segregate test and production environments? To limit access to production data.

4.    Is the solution implemented with security by design?Ask for the secure software development life cycle (SSDLC)

5.    How is personally identifiable information (PII) protected?

6.    Which security and compliance certifications are active?

7.    What is your log retention and redaction policy?