Marblism / Trust Center

Security and Privacy at Marblism

AI Employees see the inside of your operation: your inbox, your calendar, your contracts, your social accounts, your customer calls. This is why security and privacy are our top priority. Every layer of how we build, host and run the platform is designed to keep that access in your hands, and only your hands.

CASA Tier 2: Audited by TAC Security
AES-256: Encryption at rest
TLS 1.2+: Encryption in transit
24 / 7: Logging and on-call

Last updated April 2026

ESOF — Cloud Application Security Assessment shield

CASA Tier 2
Audited by TAC Security

01 — Compliance

Frameworks and Certifications

Marblism's controls are not self-graded. The certifications and regulatory alignments below are tested by independent third parties on a regular basis. Letters of attestation are available under NDA from security@marblism.com.

CASA Tier 2

Audited by TAC Security

Cloud Application Security Assessment passed against Google's Tier 2 requirements.

Verified

GDPR

Regulation (EU) 2016/679

Data subject rights, lawful basis for processing, and EU Standard Contractual Clauses for international transfers.

Aligned

CCPA / CPRA

California, United States

Marblism acts as a service provider and does not sell or share personal information.

Aligned

Google API User Data Policy

Google Limited Use

Workspace data is used only to power features the user authorizes; never to train or improve generalized models.

Compliant

PCI DSS

Outsourced via Stripe (Level 1)

Card data is tokenized at the browser and never traverses Marblism systems.

Compliant

02 — CASA Tier 2 assessment

Statement of Validation

Marblism passed the Cloud Application Security Assessment (CASA) at Tier 2. Every category required by the assessment was evaluated and passed — your data, your credentials, your sessions, your access controls, all the way through.

The assessment was conducted by TAC Security, an independent third-party lab authorized by the App Defense Alliance to conduct CASA security assessments.

About CASA

CASA is based on the industry-recognized Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS). It provides third-party application developers with:

A basis for testing technical application security controls.
A consistent set of requirements for secure application development.
Homogenized coverage and assurance levels for security verification using industry-aligned frameworks and open security standards.

Assessment Scope

The assessment was conducted using CASA requirements. Not all requirements apply to every application. Some requirements are validated based on pre-existing certifications mapped to the CASA framework.

Security Controls

Six commitments we make to every customer, applied consistently across the production environment.

Your data is encrypted, end to end

Everything you send to Marblism is protected with TLS 1.2+ in transit and AES-256 at rest. Encryption keys live in cloud-native KMS, are rotated on a documented schedule, and are never exposed to staff.

Your data lives on hardened infrastructure

Customer data is processed and stored on Amazon Web Services in regions covered by SOC 2 Type II and ISO 27001 attestations. Every endpoint sits behind a WAF, rate limiting, and DDoS mitigation.

Your workspace is fully isolated

We isolate customer data at the application, database, queue, and object-storage layers. Your AI Employees can only see your workspace — never another customer's data.

Your credentials are safe

Connected accounts and OAuth tokens are encrypted with industry-standard cryptography and stored separately from customer content. Marblism staff use SSO with mandatory MFA, and production access is gated through short-lived credentials with full audit logging.

Your activity is monitored 24/7

Centralized logging, anomaly detection, and an on-call rotation watch the platform around the clock. Suspicious activity automatically triggers rate limits and human review.

Your platform is tested by humans, not just code

Marblism runs an annual third-party penetration test, quarterly internal reviews, and automated SAST, DAST and dependency scanning on every commit before code reaches production.

04 — AI & data

Commitments to Data Privacy and Security

AI Employees only see what they need to do the job you asked for. Three commitments make that boundary unambiguous.

Your data never trains a model

Your prompts, attachments, emails, calls and outputs are never used to train Marblism models — or any third-party model. Period.

Your prompts go only to vetted partners

Inference is routed to OpenAI, Anthropic and Google under contracts that prohibit training on inference data and require zero or short-term retention. No other AI provider sees your data.

You stay in control of every sensitive action

Sending email, posting publicly, signing or returning contracts, and outbound calls all wait for your explicit approval before an AI Employee acts. AI Employees draft — you decide.

05 — Subprocessors

Subprocessors Vendors

We only work with vendors who meet the same security bar we hold ourselves to. The full list, including DPA references, is available on request.

Vendor

Purpose

Region

Amazon Web Services
Compute, storage, databases
US
OpenAI
Large language model inference
US
Anthropic
Large language model inference
US
Google Cloud
Workspace OAuth and Gemini inference
US
Stripe
Payment processing
US
Loops
Transactional email delivery
US
Sentry
Application error monitoring
US
Mixpanel
Product analytics (US instance)
US

06 — Resources

Documentation and Policies

07 — FAQ

Frequently Asked Questions

Where is customer data stored?

Customer data is stored in Amazon Web Services (us-east-1).

Do you train AI models on customer data?

No. Customer content is not used to train Marblism models or any third-party model. Our agreements with OpenAI, Anthropic and Google explicitly prohibit training on inference data.

How are different customers isolated from one another?

Each workspace is isolated at the application, database, and storage layer. AI Employees can only read data scoped to the workspace they belong to and the third-party accounts the workspace owner has connected.

How do you handle Google Workspace data?

Marblism follows Google's Limited Use requirements. Gmail, Drive, Calendar and Docs data is accessed only to perform actions the user has authorized — never sold, never used for advertising, never used for model training. Access can be revoked at any time from the user's Google account.

What happens to customer data after cancellation?

The workspace is deactivated immediately and customer content is deleted within 30 days, except where retention is required by law. A full export is available on demand.

Are audit reports available?

Yes. The CASA Tier 2 letter of attestation and the Marblism Security Whitepaper are available under NDA. Contact security@marblism.com.

Do you support SSO and SCIM?

SAML SSO (Okta, Google Workspace, Microsoft Entra) and SCIM provisioning is not currently available.

How do I report a security vulnerability?

Email security@marblism.com with a description and reproduction steps. Initial acknowledgement is sent within 24 hours and the reporter is kept informed until the issue is resolved.

Contact

Reporting a vulnerability

Tell us first. Email security@marblism.com with a description and reproduction steps. Acknowledgement goes out within 24 hours, and we don't pursue legal action against good-faith research conducted under the guidelines on the right.

Disclosure guidelines

Do not access, modify or delete data that is not your own.
Do not run automated scanners against production at a rate that affects availability.
Allow Marblism a reasonable window to remediate before public disclosure.
Use a test workspace whenever possible. Never social engineer staff or customers.

We care deeply about your privacy and security.