Built so we can't accidentally leak your data.

Marq-OS is a multi-tenant SaaS. Every row that belongs to your organization is protected by three independent controls, any one of which would stop a cross-tenant leak:

1. Application-layer AsyncLocalStorage. Every authenticated request carries a tenant context established by the auth middleware; every service method enforces it before touching the DB.
2. Repository-layer tenant scope. Queries are wrapped so a missing tenant filter fails-closed at build time, not at runtime.
3. Database-layer Row Level Security. PostgreSQL RLS policies filter on the session's tenant id. Even a misrouted query returns zero rows instead of another tenant's data.

Cross-tenant isolation is verified by integration tests that run against a real database on every deploy.

• In transit: TLS 1.2+ on every public endpoint. HTTP Strict Transport Security enforced. No mixed content.
• At rest: AES-256 at the storage layer (Railway Postgres + Redis volumes; AWS S3 when we flip storage).
• Around sensitive fields: MFA secrets and connector credentials are AES-256-GCM encrypted with keys rotated independently of database backups. Stored ciphertext alone is useless without the encryption key.
• Passwords: bcrypt (12 rounds) — we never see or store the plaintext.

• Every route declares the permissions it requires. A missing declaration fails the CI build — no endpoint can ship unguarded.
• Roles and permissions are seeded versioned; role changes to a live user require an admin with the org:super_admin:grantpermission.
• MFA (TOTP) is available for every account and can be required on sensitive routes (org transfer, tenant delete, data export).
• Sessions rotate on refresh with reuse-detection: a replayed refresh token revokes the entire session family and logs the event.

Marq-OS writes an immutable audit event for every mutating action: sign-in, sign-up, MFA enroll, role change, connector install / uninstall, transaction run, billing state change, data export, data deletion request. Audit log retention matches your plan (30 days on Solo, 90 days on Team, 1 year on Scale, custom on Enterprise).

Server-side logs are structured (JSON), annotated with tenant + request id, and shipped to a centralized log sink. Production deploys include Sentry for error telemetry and a latency SLO dashboard — 99.95% uptime on Scale, custom on Enterprise.

• Content you pass through a connector (LinkedIn posts, campaign settings, DALL·E prompts) is used to fulfill the request and nothing else. It is never used to train Marq-OS models.
• Sub-processors (Anthropic, OpenAI, LinkedIn API) receive only the data needed to fulfill the specific call, under their respective data processing terms.
• You can export every row Marq-OS has about you at any time from Settings → Data & privacy → Export.
• You can request deletion at any time. Data is permanently removed within 30 days; audit rows are preserved in a legally-required tamper-evident form per GDPR Art. 17 exceptions.

• GDPR: covered. We're a data processor for your tenant data; a data controller for account metadata. Data processing terms on request (legal@marq-os.com).
• DPDP (India): covered. Data residency in ap-south-1 available on Enterprise.
• SOC 2 Type II: audit engaged, Type I targeted for Q4 2026, Type II for Q2 2027. Intermediate attestations available on request.
• HIPAA / ISO 27001: on the Enterprise roadmap; we scope to order on a case-by-case basis until formal certification.

Report security issues to security@marq-os.com. We respond within 48 hours. We don't run a paid bounty yet but we reward meaningful reports with a public thank-you and (if you want) product credits.

We don't pursue legal action against researchers who report in good faith, avoid destructive testing, and give us a reasonable window to respond before public disclosure.