Security

Built on well-worn tools.

No clever rewrites of critical path. We use the boring-and-battle-tested stack, configure it carefully, and document what we do.

Last reviewed April 23, 2026

Infrastructure

  • Hosting — Vercel (AWS-backed, SOC 2 Type 2).
  • Database + auth — Supabase (AWS-backed, SOC 2 Type 2, row-level security on every table).
  • LLM provider — Anthropic Claude API. Zero-retention mode for customer-data calls where available.
  • Email delivery — Resend.
  • Analytics — PostHog (product events only, not content).

Authentication

Marqeting uses passwordless magic-link authentication via Supabase. No passwords to breach, no password reuse risk. Links expire in 10 minutes and are one-use. Session cookies are HTTP-only, Secure, and SameSite=Lax.

Data at rest and in transit

All data is encrypted at rest (AWS-managed keys via our infrastructure providers) and in transit (TLS 1.2+). We enforce HTTPS on every request to marqeting.io.

Workspace isolation

Every table that holds customer data has Postgres row-level security enabled. Queries are scoped by workspace membership at the database layer — even an accidental bug in application code cannot return another workspace's data.

Secrets and access

  • Production secrets live in Vercel and are never committed to git.
  • Service-role database access is limited to server-side routes; the browser only ever speaks to Supabase with the anon key + user session.
  • Founder access to production data is logged, rate-limited, and used only to resolve support tickets or investigate incidents.

Incident response

If we discover a security incident that affects your data, we notify affected customers within 72 hours of confirmation, consistent with GDPR breach-notification requirements. Status incidents unrelated to customer data are announced in-app.

Reporting a vulnerability

Email security@marqeting.io with details. We acknowledge within one business day. We offer responsible-disclosure recognition — and for severe issues, a payment scaled to impact.

What we don't have yet

We're a small team early in our life. We don't have SOC 2 yet (the infrastructure under us does, which helps, but we'll get our own when customers need it). We don't have SSO yet — it's on the roadmap for Enterprise. If your procurement team has a checklist, email us and let's walk through it together.