Infrastructure Security
- Remote access MFA enforced
- Remote access encrypted enforced
- Network segmentation implemented
Security at Marta
Marta brings your security policies, compliance documents, subprocessors, access requests, and trust updates into a clean, public Trust Center.
Controls
Updated 27 days agoSecurity controls we maintain across our organization.
Organizational Security
- Password policy enforced
- Security awareness training implemented
Internal Security Procedures
- Backup processes established
- Incident response policies established
- Incident management procedures followed
Product Security
- Data transmission encrypted
- Vulnerability and system monitoring procedures established
Policies
Our written commitments around privacy, security, and data handling.
Privacy Policy
How Marta collects, uses, and protects personal information.
Updated May 27, 2026Information Security Policy
High-level rules governing information security at Marta.
Updated May 27, 2026Incident Response Policy
How Marta identifies, manages, and resolves security incidents.
Updated May 27, 2026Data Retention Policy
How long Marta retains customer and platform data.
Updated May 27, 2026Subprocessors
Trusted third parties that process customer data on our behalf.
6 vendors
| Vendor | Purpose | Location | Data categories | Links |
|---|---|---|---|---|
| | Content delivery network, DDoS protection, DNS, and edge compute. | Global edge network; R2 storage in EU | IP addressesHTTP request metadataCustomer filesDNS records | |
| | Managed Elasticsearch, search, and observability service. | European Union | Structured application logsHTTP request metadataAudit events | |
| | Source code hosting and collaboration platform. | United States | Source codeCI artifactsIssue and pull request metadata | |
| | Web and app analytics platform. | United States / global Google infrastructure | Pseudonymous analytics identifiersPage viewsDevice and browser metadata | |
| | Cloud infrastructure, compute, storage, and managed services. | Belgium (europe-west1) | Application dataDatabase contentsSystem logsEncrypted backups | |
| | Transactional email API for product and account notifications. | United States | Email addressesEmail contentDelivery metadata |
Frequently asked questions
Quick answers to common security questions.
Where is customer data stored?
Production application and database infrastructure runs on Google Cloud in Belgium (europe-west1). Customer-uploaded files are stored in Cloudflare R2 with encryption at rest.
Do you encrypt data at rest and in transit?
Yes. Customer databases and object storage are encrypted at rest. All public endpoints are served over HTTPS with TLS 1.2+ via Cloudflare and Caddy.
Do you support SSO?
Google OAuth sign-in is supported today. SAML/OIDC enterprise SSO is on our roadmap for a future release.
How can I report a security issue?
Contact us at **support@trymarta.com**. We prioritize security reports and aim to acknowledge them within one business day.
Which subprocessors does Marta use?
Our primary subprocessors include Google Cloud (compute), Cloudflare (CDN, WAF, and R2 storage), Resend (email), Elastic Cloud (logging), GitHub (source control), and Google Analytics where enabled. See the Subprocessors page for details.
Have a question or report?
Reach our security team directly. We respond to vulnerability reports within one business day.