Security Whitepaper

Public-company customers entrust us with material non-public information. Our security architecture is designed for this responsibility from the database to the AI inference layer, with four independently auditable defense layers.

The thesis is that breach prevention through layered defenses, combined with rapid detection and immutable audit, produces a defensible posture that meets institutional procurement requirements while remaining operable by small teams.

Every Postgres table in the platform enables row-level security with policies scoped on issuer_id. The application server connects with a service role that respects these policies; there is no escape hatch in product code.

RLS policies are enforced at the database, not at the application. A SQL injection or application-layer bug cannot result in cross-tenant data access. Audit tests verify policy coverage on every CI build.

At-rest encryption uses AES-256-GCM. Each issuer has its own Data Encryption Key (DEK), wrapped under a Key Encryption Key (KEK) held in FIPS 140-2 validated cloud key management infrastructure (Google Cloud KMS).

In-transit encryption requires TLS 1.3 for all client and inter-service traffic. HSTS is enforced platform-wide. Internal service-to-service communication runs over the platform’s managed transport layer (Vercel Functions + Supabase Postgres).

End-to-end encryption (X25519 ECDH + Ed25519 signatures) is available as an opt-in for the board portal, using browser-side keypairs with private keys stored only in IndexedDB and the server holding ciphertext only.

Authentication is managed via Supabase Auth with JWT-based session tokens, refresh-token rotation, and short-lived access tokens. WebAuthn / FIDO2 is supported for passwordless authentication using platform authenticators or hardware security keys.

Administrative functions require multi-factor authentication. Step-up authentication is enforced for sensitive operations such as Vault publish, certification, and team-role changes.

The AI router classifies every document by sensitivity before any inference call. Public-record documents (SEC filings, OTC disclosures, press releases) route through the Gemini API for maximum extraction accuracy. Documents classified as material non-public information route through Vertex AI in a customer-isolated GCP VPC.

The Vertex AI environment is contractually configured against training, log retention, and human review. Inputs are encrypted in transit, processed in memory, and not persisted beyond the inference call. The classification decision and routing log are written to the immutable audit trail.

Every mutation to Vault records, Cap Table entries, filings, board actions, and material events is captured in the audit_logs table with actor identity, IP, timestamp, action category, target identifier, and full before/after snapshots.

The audit table is append-only at the database level. There are no soft deletes of mutation history. SOC 2-aligned retention applies. Customers can export the audit log on demand.

We monitor for authentication anomalies (impossible-travel, brute-force, credential-stuffing), API rate-limit violations, structural-integrity drift, and audit-log tampering attempts. Alerts route through PagerDuty with defined severity levels and on-call rotation.

ML-KEM hybrid key exchange is on our roadmap for forward-secrecy in anticipation of post-quantum cryptography migration. Hybrid mode runs the classical exchange in parallel for backward compatibility while introducing quantum-resistant material to the session key derivation.

Documented incident response plan with defined roles, communication templates, customer-notification triggers (72-hour breach commitment), and post-incident review process. The plan defines a quarterly tabletop cadence.

The full subprocessor list, including their security postures and processing scope, is maintained in our Data Processing Addendum. Customers receive 30 days' notice before any new subprocessor is engaged for personal data processing.

For SOC 2 evidence packages, vendor risk questionnaires, or architecture deep-dives under NDA, contact security@marketfortress.app.