The information on this page is summarized from Marblism's official Trust Center. For the authoritative source, current attestations, and binding policies, visit marblism.com/trust-center.
Get Your Week Back: Free trial + exclusive partner savings Claim → Want extra partner savings? Chat with Paolo →
Security & Trust · Sourced from Marblism's Trust Center

Security & Compliance
at a glance.

A summary of Marblism's publicly stated security posture, certifications, and data handling practices. All claims below are sourced from Marblism's official Trust Center.

View official Trust Center ↗ ← Back home
Core Commitments

Three pillars,
directly from Marblism.

Each statement below is paraphrased or quoted from the Marblism Trust Center.

CASA Tier 2 · Independently Audited

"Cloud Application Security Assessment passed against Google's Tier 2 requirements."

Marblism's CASA Tier 2 audit was performed by TAC Security and is based on the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS). The Letter of Validation is available as a public PDF download via the Marblism Trust Center.

  • CASA Tier 2 — passed
  • Audited by TAC Security
  • Based on OWASP ASVS
  • Letter of Validation publicly available
Your Data · Never Used for Training

"Your prompts, attachments, emails, calls and outputs are never used to train Marblism models — or any third-party model. Period."

Per the Marblism Trust Center: inference is routed to OpenAI, Anthropic, and Google under contracts that prohibit training on inference data. Customer data is isolated at the application, database, queue, and object-storage layers — AI Employees can only see the workspace they belong to.

  • No training on customer data — first or third party
  • OpenAI, Anthropic, Google routed under no-training contracts
  • Workspace data isolated at every layer
  • AI Employees see only their workspace
Encryption & Infrastructure

TLS 1.2+ in transit. AES-256 at rest. Keys managed in cloud-native KMS.

Per the Marblism Trust Center: encryption keys live in cloud-native KMS, are rotated on a documented schedule, and are never exposed to staff. Customer data is stored on Amazon Web Services in regions covered by SOC 2 Type II and ISO 27001 attestations. Connected accounts and OAuth tokens are encrypted with industry-standard cryptography.

  • TLS 1.2+ in transit · AES-256 at rest
  • Keys in cloud KMS — rotated, never exposed
  • AWS regions: SOC 2 Type II + ISO 27001
  • OAuth tokens encrypted
Compliance Frameworks

What Marblism states.

All statuses below are as published on the Marblism Trust Center.

CASA Tier 2
Certified
Audited by TAC Security · Based on OWASP ASVS
GDPR
Aligned
Data subject rights, lawful basis for processing, EU Standard Contractual Clauses
CCPA / CPRA
Aligned
"Marblism acts as a service provider and does not sell or share personal information"
Google API User Data Policy
Compliant
"Workspace data is used only to power features the user authorizes; never to train or improve generalized models"
PCI DSS
Compliant
Outsourced via Stripe (Level 1) · Card data tokenized at the browser, never traverses Marblism systems
AWS Infrastructure
Provider-attested
Regions covered by SOC 2 Type II and ISO 27001 attestations
Operations & Access

How Marblism runs
day to day.

Access Controls

  • "Marblism staff use SSO with mandatory MFA."
  • "Production access is gated through short-lived credentials with full audit logging."

Monitoring & Testing

  • 24/7 centralized logging, anomaly detection, on-call rotation
  • "Annual third-party penetration test, quarterly internal reviews"
  • "Automated SAST, DAST and dependency scanning on every commit"

Data Retention & Deletion

  • "Workspace is deactivated immediately and customer content is deleted within 30 days, except where retention is required by law."
  • "Full export is available on demand."

Vulnerability Reporting

  • Report to security@marblism.com
  • "Initial acknowledgement is sent within 24 hours."
  • Good-faith research protected from legal action
Sub-processors

Who Marblism uses.

As listed on the Marblism Trust Center. All are US-based.

Amazon Web Services
OpenAI
Anthropic
Google Cloud
Stripe
Loops
Sentry
Mixpanel

A current Subprocessor List is available on request from Marblism.

Policies & Documents

Available from Marblism.

Public

  • Privacy Policy
  • Terms of Service
  • CASA Tier 2 Letter of Validation (PDF)

Available on Request

  • Data Processing Agreement (DPA)
  • Subprocessor List
Go to Marblism Trust Center ↗
FAQ

Sourced answers,
verbatim where possible.

Is my data used to train AI models?

Per the Marblism Trust Center: "Your prompts, attachments, emails, calls and outputs are never used to train Marblism models — or any third-party model. Period." Inference is routed to OpenAI, Anthropic, and Google under contracts that prohibit training on inference data.

Is my data encrypted?

Yes. Marblism states data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Encryption keys live in cloud-native KMS, are rotated on a documented schedule, and are never exposed to staff.

Where is my data stored?

On Amazon Web Services in regions covered by SOC 2 Type II and ISO 27001 attestations, per the Marblism Trust Center.

What happens when I cancel?

Per Marblism: "Workspace is deactivated immediately and customer content is deleted within 30 days, except where retention is required by law." A full data export is available on demand.

Can different team members have different access levels?

Yes. Marblism states customer data is isolated at the application, database, queue, and object-storage layers, and AI Employees can only see their assigned workspace.

How do I report a security vulnerability?

Email security@marblism.com. Marblism states initial acknowledgement is sent within 24 hours and good-faith research is protected from legal action.

Want the
full picture?

For the authoritative, current, and binding source of Marblism's security and compliance information, visit the official Trust Center directly.

Visit Marblism Trust Center ↗

This page is operated by a Marblism strategic partner and provides a summary for convenience. All security claims, certifications, and policies are owned and maintained by Marblism. For binding documentation, refer to the official Trust Center.