Trust center

Marshal is built to hold HR investigation data — by definition, some of the most sensitive personal information any organization processes. Every architectural decision is oriented around three properties: tenant isolation, auditable provenance, and defensible retention.

• Tenant isolation:all data is scoped to a single tenant at the database row level via PostgreSQL row-level security. Every API path, every storage object, every audit row carries a tenant id; access is denied if the requester's session doesn't match. We run an automated integration suite that proves the property holds across every table and storage bucket on every change.
• Cryptographic audit chain:every action on a case writes an append-only audit row, hashed into a per-tenant sha256 chain. The chain is verifiable: any tampering breaks the next row's hash. We attest the chain tip daily and push signed snapshots to an external, tamper-evident S3 Object Lock bucket (compliance mode, seven-year retention). A second copy survives even a full database compromise.
• AI provenance:every AI-generated draft (memo, finding, report section) is logged with the prompt id, model name + version, input hash, and full output. A reviewer can answer “which model produced this section?” forever. AI outputs are always drafts; investigators review and confirm before they become determinations.
• Authentication: SAML 2.0 SSO available; SCIM 2.0 for automated deprovisioning; tenant-level MFA enforcement; configurable session idle timeout. Passwords are hashed by Supabase Auth (bcrypt).
• Encryption: data in transit via TLS 1.2+; data at rest encrypted by the underlying infrastructure providers (Supabase / AWS).
• Retention and legal hold: per-tenant retention policy with automated archival; per-case legal hold that suspends archival when litigation is reasonably anticipated.
• Data subject rights: in-app workflow for GDPR Article 15 (access) and Article 17 (erasure) requests, with a curated exemption catalog citing the underlying legal bases for any preservation decisions.

We're transparent about our current certification posture. Marshal is an early-stage product, and we'd rather under- promise than misrepresent.

SOC 2 Type II

Pre-audit

Controls implemented; formal Type II audit planned once the first enterprise customer engages. Evidence collection automated.

GDPR / CCPA

Compliant by design

DSAR workflow, exemption tracking, and retention controls in product. DPA available on request.

HIPAA

Available on request

Technical controls support a BAA. Contact us if your investigations involve PHI.

ISO 27001

Planned

Roadmapped for the year following SOC 2 Type II.

Marshal uses a small number of carefully chosen sub-processors to deliver the service. All process customer data on our behalf under data processing agreements that prohibit use of customer data for any other purpose, including AI model training.

Primary data residency is the United States (us-east). EU and other regional residency is on the roadmap; reach out if your procurement requires it.

View the full sub-processor list →

A live status page with uptime history and incident notes is maintained at status.marshal.to (coming soon). Customers can subscribe to incident notifications through that page.

We treat security disclosures seriously. If you've found something you think we should know about, please email security@marshal.to. Our full disclosure policy, including scope and acknowledgement timelines, is at /trust/security.

• Privacy policy — what we collect, why, who we share with, your rights
• Terms of service — customer obligations, IP, AI use, warranty, liability
• Data Processing Addendum (DPA) and Business Associate Agreement (BAA) available on request — email legal@marshal.to

For security questionnaires, DPA/BAA requests, or any other procurement question, contact trust@marshal.to.