Security Whitepaper

Public-company customers entrust us with material non-public information. Our security architecture is designed for this responsibility from the database to the AI inference layer, with four independently auditable defense layers.

The thesis is that breach prevention through layered defenses, combined with rapid detection and immutable audit, produces a defensible posture that meets institutional procurement requirements while remaining operable by small teams.

Every Postgres table in the platform enables row-level security with policies scoped on issuer_id. The application server connects with a service role that respects these policies; there is no escape hatch in product code.

RLS policies are enforced at the database, not at the application. A SQL injection or application-layer bug cannot result in cross-tenant data access. Audit tests verify policy coverage on every CI build.

At-rest encryption uses AES-256-GCM. Each issuer has its own Data Encryption Key (DEK), wrapped under a Key Encryption Key (KEK) that is held in a hardware security module attested to FIPS 140-3 Level 3.

In-transit encryption requires TLS 1.3 for all client and inter-service traffic. HSTS, certificate pinning for high-sensitivity flows, and mutual TLS for internal RPCs.

End-to-end encryption is available as an opt-in for board portal communications using browser crypto.subtle keypairs with server-side public-key registry.

Authentication is managed via Supabase Auth with JWT-based session tokens, refresh-token rotation, and short-lived access tokens. WebAuthn / FIDO2 is supported for passwordless authentication using platform authenticators or hardware security keys.

Administrative functions require multi-factor authentication. Step-up authentication is enforced for sensitive operations such as Vault publish, certification, and team-role changes.

The AI router classifies every document by sensitivity before any inference call. Public-record documents (SEC filings, OTC disclosures, press releases) route through the Gemini API for maximum extraction accuracy. Documents classified as material non-public information route through Vertex AI in a customer-isolated GCP VPC.

The Vertex AI environment is contractually configured against training, log retention, and human review. Inputs are encrypted in transit, processed in memory, and not persisted beyond the inference call. The classification decision and routing log are written to the immutable audit trail.

Every mutation to Vault records, Cap Table entries, filings, board actions, and material events is captured in the audit_logs table with actor identity, IP, timestamp, action category, target identifier, and full before/after snapshots.

The audit table is append-only at the database level. There are no soft deletes of mutation history. SOC 2-aligned retention applies. Customers can export the audit log on demand.

We monitor for authentication anomalies (impossible-travel, brute-force, credential-stuffing), API rate-limit violations, structural-integrity drift, and audit-log tampering attempts. Alerts route through PagerDuty with defined severity levels and on-call rotation.

Optional ML-KEM hybrid key exchange is available for forward-secrecy in anticipation of post-quantum cryptography migration. Hybrid mode runs the classical exchange in parallel for backward compatibility while introducing quantum-resistant material to the session key derivation.

Documented incident response plan with defined roles, communication templates, customer-notification triggers (72-hour breach commitment), and post-incident review process. Tabletop exercises run quarterly.

The full subprocessor list, including their security postures and processing scope, is maintained in our Data Processing Addendum. Customers receive 30 days' notice before any new subprocessor is engaged for personal data processing.

For SOC 2 evidence packages, vendor risk questionnaires, or architecture deep-dives under NDA, contact security@marketfortress.app.