maark
Log inStart for free
Security

Our security posture, described honestly.

This page says what is true today — the protections that are actually in place — and is deliberate about what we do not yet claim. If you need something we do not have, we would rather tell you than imply it.

Data protection

How your data is protected in transit and at rest

Encrypted in transit
All traffic is served over HTTPS/TLS, with HSTS enforced so browsers refuse to connect any other way. Every call we make to a third-party service is over TLS too.
Connected-account tokens encrypted
The access tokens for the accounts you connect — Google, Shopify, Slack — are encrypted with AES-256-GCM at the application layer before they are stored, on top of the encryption-at-rest provided by our database hosts.
Databases encrypted at rest
Your data lives in Vercel Postgres (powered by Neon) and Google BigQuery, both of which encrypt data at rest. The full list of providers is on our sub-processors page.
Secrets kept out of the codebase
Credentials are held as environment secrets, never committed to source. Internal jobs authenticate to each other with dedicated shared secrets.
Access to your accounts

We ask for the least access that does the job

Google Search Console — read-only
We request the read-only Search Console scope (webmasters.readonly). We cannot modify your Search Console settings, submit URLs, or change your properties.
Shopify — scoped to publishing
Connecting Shopify grants the access needed to publish and update articles on your store’s blog and read your products. You approve the install, and you can disconnect at any time — anything already published stays live.
Your Google data stays yours
We do not sell or share your Google user data, do not use it for advertising, and do not allow a person to read it except with your explicit consent, for a security reason, or where required by law.
Accounts & access control

Who can do what, and how we know

Sign-in
Authentication is handled by a maintained auth framework, with Google single sign-on and email magic-link sign-in. Sessions are server-side, and we do not automatically link accounts across sign-in methods.
Roles and tenancy
Access is role-based across organizations and projects — owner, admin, editor, writer and a client role. A connection or a client login reaches only the projects it is scoped to; there is no all-projects backdoor.
AI connections are scoped
External assistants connect over a scoped, revocable key or a guided sign-in, limited to the projects you choose. Write actions preview before they commit, and publishing is never done over a connection. See AI Connections.
Audit logging
Sensitive actions are written to an audit log with the actor, the action and the resource, and application errors are captured by an error-monitoring service so we can respond to problems quickly.
Retention & deletion

We keep your data while you need it, and let it go when you don’t

Crawl artifacts, snapshots and other operational data are pruned on a schedule, and stale connection tokens are cleaned up automatically. You can request a full export or deletion of your data at any time by emailing privacy@maark.ai. The specifics live in our privacy policy.

What we don’t claim

Honesty about where we are

We are not currently SOC 2 or ISO 27001 certified, and we do not claim to be. If your procurement needs a formal security and data-processing review before you buy, that review is part of our Custom plan — talk to us and we will walk through our controls and sign a data processing agreement. We would rather earn that trust in a conversation than print a badge we have not earned.

Responsible disclosure

Found a vulnerability? Please email security@maark.ai with the details and steps to reproduce. We will acknowledge your report and keep you posted as we work on a fix.

Need a deeper security review?

Our Custom plan includes a security and data-processing review, and a signed DPA.

Talk to usRead the sub-processor list