Attestation Letter

I, the Chief Executive Officer of Market Fortress, attest that the security and privacy practices described in our public Security Statement and Security Whitepaper accurately reflect the controls in operation as of the date of this letter.

Specifically, I confirm that:

1. Material non-public information uploaded to the Service is encrypted at rest using AES-256-GCM with per-issuer key isolation, and processed in a customer-isolated GCP VPC where applicable.
2. Row-level security is enforced at the database for every customer-facing table.
3. Every mutation is captured in an immutable audit log with actor identity, IP, timestamp, and before/after snapshots.
4. AI inference for material non-public information is contractually prohibited from being used to train shared models or accessed by Google or any third party.
5. The platform was designed against SOC 2 Trust Services Criteria from inception, with documented controls under continuous review.

The security organization reports directly to me. Material changes to the security posture, breach events, or significant incident-response activity are escalated to executive leadership and, where applicable, customer notification within 72 hours of confirmed identification.

This letter is issued in support of customer security questionnaires, vendor risk assessments, and procurement processes. It is provided in good faith but does not constitute a formal SOC 2 attestation, which is performed by an independent auditor under separate engagement.

Customers and prospective customers may direct security inquiries to security@marketfortress.app.

Sincerely,