Security & Trust

Last updated: 7/3/2026.

Marcora (MarketCore LLC) gives go-to-market teams governed, on-brand context infrastructure for AI content. This page documents how we protect your data, exactly what is and isn't independently certified today, and what's on our roadmap: the answers a security review needs, stated plainly. Anything not covered here: security@marcora.ai.

Infrastructure and inherited compliance

Marcora runs on a small, deliberately chosen stack of independently audited providers, with our core backend on dedicated, single-tenant infrastructure.

ProviderRoleTheir certificationsWhat Marcora inherits
XanoApplication backend + database (Google Cloud, US)SOC 2 Type 2, ISO 27001, GDPR Physical, network, and infrastructure controls; encryption at rest; audited platform operations
NetlifyWeb application hosting / CDNSOC 2 Type 2, ISO 27001, ISO 27018Edge security, build pipeline, DDoS protection
AnthropicAI content generation (API)SOC 2 Type 2, ISO 27001:2022, ISO 42001No training on your data; limited API retention
OpenAIAI content generation (API)SOC 2 Type 2, ISO 27001:2022No training on your data; limited API retention
StripePaymentsPCI DSS Level 1, SOC 2We never store card data
RailwayHosting for integration services (US)SOC 2 Type 2, SOC 3Audited hosting for our MCP and messaging relays
ReplitHosting for file delivery + document conversion (US, on Google Cloud)SOC 2 Type 2Audited hosting; isolated cloud project
Mailgun (Sinch)Transactional emailSOC 2 Type 1 & 2, ISO 27001Audited email delivery
ComposioThird-party integrations layerSOC 2 Type 2, ISO 27001:2022Audited integration handling
PostHogProduct analyticsSOC 2 Type 2Audited analytics processing
OneSignalOpt-in notification emailsSOC 2 Type 2, ISO 27001, ISO 27701Audited notification delivery

What's independently certified, and what isn't: the certifications above are held by our infrastructure providers, and Marcora inherits the physical, network, and infrastructure controls they cover. Marcora (MarketCore LLC) has not yet completed its own independent SOC 2 or ISO 27001 audit. Our compliance roadmap is below, and enterprise customers can request our security documentation package at security@marcora.ai.

Encryption

  • In transit: TLS 1.2+ on all connections.
  • At rest: provided by our infrastructure providers, plus application-level AES-256-GCM encryption (per-file random IVs, authenticated encryption, dedicated key management) for files in our file-delivery service.

Your data and AI

  • You own your content. We process it only to provide the Service.
  • Your content is not used to train AI models. We use Anthropic's and OpenAI's commercial APIs, under which inputs and outputs are not used for model training.
  • Data residency: Marcora is hosted in the United States (Google Cloud).

Access controls

  • Workspace role-based access control: admin, creator, and collaborator roles.
  • Least-privilege access to production systems; multi-factor authentication on all administrative and infrastructure accounts.
  • Programmatic access (API and MCP server) is authorized via OAuth 2.0 or workspace-scoped API keys that customers manage and can revoke at any time.
  • Signed, expiring URLs (15-minute validity) for file downloads.

Data retention and deletion

  • Cancelling a subscription downgrades you to our free tier; your data stays yours and stays put.
  • Account deletion (in-app or via support@marcora.ai) is completed within 30 days, except where law requires retention.
  • Your data is exportable at any time; you are never locked in.

Business continuity

  • Automated backups via our infrastructure providers; data exportable at any time in standard formats.
  • For enterprise agreements we offer continuity assurances on request, including data-export guarantees and escrow arrangements.

Responsible disclosure

Found a vulnerability? Email security@marcora.ai. We acknowledge reports within 2 business days.

Compliance roadmap

  • Today: independently audited (SOC 2 Type 2 / ISO 27001) infrastructure across every provider in our stack; application-level file encryption; DPA available on request; this page.
  • Next: documented internal security policies (access, incident response, retention); subprocessor-change notifications.
  • Planned: independent application-layer penetration testing; SSO and MFA for customer accounts; SOC 2 certification for MarketCore LLC.

Enterprise prospects: request our security documentation package at security@marcora.ai. It includes our security overview and DPA, plus direct paths to our infrastructure providers' own trust portals (Xano, Railway, PostHog, and others), where their attestation reports are available first-hand.

Scroll to Top