Trust Center
Trust Center
Where your data lives, who processes it, and how it's protected.
Architecture & Data Flow
The data flow is linear and uses only European processing regions — with one documented exception for our AI feature (Anthropic, USA, under the EU-US Data Privacy Framework).
- User's browser · TLS 1.2+
- ↓
- Vercel Edge · Frankfurt (fra1)
- ↓
- Supabase Postgres · Ireland (eu-west-1)
- ↓ optional, opt-in
- Anthropic API · USA, EU-US Data Privacy Framework
Sub-Processors
We use the following processors. The list is kept in sync with the more detailed table in our Privacy Policy. A data processing agreement under Art. 28 GDPR is in place with each provider.
| Provider | Purpose | Location / Data Region | International Transfer Safeguard |
|---|---|---|---|
| Vercel Inc. | Hosting, CDN, edge functions | USA, EU edge fra1 | EU SCCs + DPF |
| Supabase Inc. | Postgres, Auth, Storage | Ireland (eu-west-1) | Processing within the EU |
| Anthropic PBC | AI anomaly explanations, help chatbot | USA | EU-US DPF + SCCs |
| Resend Ltd. | Transactional emails, newsletter | UK (processing within the EU) | UK adequacy decision |
| Plausible Insights OÜ | Cookieless web analytics | Estonia / Germany | Processing within the EU |
Standard data processing agreement template for our customers: Download DPA template.
Encryption & Access
- Encryption in transit: TLS 1.2+ for all connections, HSTS enabled.
- Encryption at rest: AES-256 at the disk level via our infrastructure providers (Supabase, Vercel). These sub-processors are ISO 27001 certified.
- EU hosting: All primary data is processed in Ireland (Supabase eu-west-1) and Frankfurt (Vercel fra1).
- Application-level encryption for secrets: Sensitive values (API keys, OAuth refresh tokens) are additionally encrypted with AES-256-GCM in the AppSetting table — the master key is not stored in the database.
- MFA for admin access: Multi-factor authentication is enforced for all sub-processors (Vercel, Supabase, Anthropic, Resend, Plausible).
- Audit log: Security-relevant actions (login, access to tenant data, configuration changes) are logged for 365 days.
Backups & Availability
- Point-in-Time Recovery (PITR): Supabase maintains 7 days of rolling PITR; recovery to any point in time within this window.
- Daily backups: Additionally automated daily database snapshots.
- Restore tests: Performed every six months; results documented in the internal audit log.
- Availability: Vercel SLA for the edge layer; observed 99.9% uptime over the last 12 months. We currently do not offer a formal SLA commitment; that is part of the Enterprise plan (in preparation).
Compliance
- GDPR: Our processing complies with the GDPR. Privacy Policy and DPA template are publicly available; an internal Data Protection Officer has been appointed. Where we process personal data on behalf of our customers, we act as a Processor under Art. 28 GDPR.
- EU AI Act, Art. 50 (Transparency): Marginly uses AI for anomaly explanations and the AI Help chat. All AI recommendations are advisory; final actions require user confirmation. We comply with the EU AI Act (Regulation (EU) 2024/1689) as a provider/deployer of a limited-risk AI system. AI-generated content is clearly labeled as such in the product (banner, icon, tooltip).
- NIS2: Not directly applicable (company size and sector are outside the scope). Nevertheless, we follow the technical and organizational measures (TOMs) of the German BSI IT-Grundschutz baseline.
- ISO 27001: Our hosting providers (AWS Frankfurt via Supabase, and Vercel) are ISO 27001 certified. Our own ISO 27001 audit is in preparation, target: Q4 2026. Until then, we rely on the certifications of our sub-processors as supporting evidence.
Coordinated Disclosure
Found a vulnerability? Thank you. Please report it to security@themarketplaceguys.com. We acknowledge receipt within 48 hours and will keep you updated.
Machine-readable contact details are in our security.txt (RFC 9116).
Hall of Fame
We list researchers whose reports have helped us improve our security here, with their consent. Currently: no entries yet.
Downloads & Further Documents
DPA templateStandard data processing agreement template (print version, to be reviewed by counsel)CAIQ-Lite self-assessmentCloud Security Alliance questionnaire, 8 categories, honest answerssecurity.txtRFC 9116 — machine-readable security contact informationPrivacy PolicyFull Privacy Policy under Art. 13 GDPR
A question about our setup? Drop us a line at security@themarketplaceguys.com. Reply within one business day.
Last updated: 2026-05-10