Your Security Comes First

At Maven, we believe that access to reproductive and family health care requires absolute trust. The information you share with us — about your cycle, your fertility journey, your pregnancy, your mental health — is among the most personal data that exists. We take that seriously, and we've built our entire security program around protecting it.

How We Protect Your Data

Encryption, Everywhere

All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher with modern cryptographic standards, including elliptic curve cryptography. Whether your information is stored or moving between systems, it is always protected.

Strict Access Controls

Access to member data is limited to the people who need it to provide your care — and no one else. We enforce role-based access controls, least-privilege principles, and require multi-factor authentication for all internal systems. Every access event is logged and monitored.

Continuous Monitoring and Testing

Our security team monitors our systems around the clock. We conduct regular vulnerability assessments and independent third-party penetration testing so we can find and fix weaknesses before they become problems.

Data Minimization and Retention

We collect only the information necessary to provide your care, and we securely delete it in accordance with defined retention schedules.

Reproductive Health Data Gets Special Protection

We treat all reproductive health and cycle tracking information as Protected Health Information (PHI) under HIPAA — not because we have to, but because it's the right thing to do. This means your data is subject to the highest standards of protection we offer.

Independent Validation

We don't just say we're secure — we prove it through independent third-party audits.

HIPAA Compliant Maven is a HIPAA-compliant technology company and service provider. We execute Business Associate Agreements (BAAs) with covered entity partners as required.

HITRUST Certified Maven holds HITRUST certification, one of the most rigorous healthcare security frameworks in the industry, validated by an independent third-party assessor.

SOC 2 Type II Attested Our SOC 2 Type II attestation covers the security, availability, and confidentiality of our systems, verified annually by an independent auditor.

Responsible AI

Maven uses artificial intelligence to help connect members with the right care at the right time. We govern our AI systems in accordance with ISO 42001, the international standard for AI management systems. This means our AI use is documented, risk-assessed, and subject to ongoing oversight — with human review built into decisions that affect your care.

Vendor and Supply Chain Security

Every third-party vendor that handles member data goes through a security review before we engage them and is contractually required to meet our data protection standards. We maintain an active vendor risk management program so that your data is protected across our entire ecosystem.

Incident Response

We maintain a formal incident response program with documented breach notification procedures that meet or exceed the requirements of HIPAA and applicable state laws. In the event of a security incident that affects your data, we will notify you promptly and transparently.

Vulnerability Disclosure

We welcome and appreciate the work of security researchers. If you believe you've found a security vulnerability in Maven's systems, we encourage you to report it to us responsibly — we'll investigate all legitimate reports and work to remediate validated issues as quickly as possible.

What we ask of researchers:

  • Communicate responsibly — comply with applicable laws and respect the privacy of individuals.
  • Avoid degrading user experience, disrupting systems, or destroying data.
  • Provide sufficient technical detail for our team to identify and validate the issue.
  • Refrain from publicly disclosing vulnerabilities without our express written consent.

In scope: mavenclinic.com and our iOS and Android mobile applications. If you're unsure whether a system is in scope, please ask us before beginning research.

To report a potential vulnerability, email security@mavenclinic.com.

Questions or Concerns?

  • Security disclosures: security@mavenclinic.com
  • Privacy requests: See our Privacy Policy

For enterprise partners seeking detailed compliance documentation, SOC 2 reports, or BAA execution, please contact your Maven account team.