Skip to content

Security program in progress

Security for managed AI operations.

Marshal designs, deploys, and operates agents with authority kept narrow, credentials kept out of agents, and customers kept in control of approvals and rules.

Control Plane owns trustData Plane borrows authorityAgents never own credentials

Founder-led teams use Marshal

Security controls

Practical safeguards for the systems, people, and agent authority behind Marshal's Managed AI Ops service. Select any category to see the underlying controls.

OperationalDocumented commitmentIn progress

Data protection

Trust is enforced through identity, credential, runtime, and recovery boundaries. Current gaps stay visible until they are closed and tested.

Credentials at rest

Customer-authorized credentials live in Infisical. Human credentials and recovery material live in 1Password, not in code or agent definitions.

Operational

Transport protection

Encrypted transport is required for application and administrative traffic across Marshal's managed cloud providers.

Documented commitment

Scoped agent runtime

Credentials are resolved for authorized work. Agents do not receive general vault access or become the durable credential owner.

Documented commitment

Backup and recovery

Automated database backups, secrets recovery testing, and annual recovery exercises are explicit open work items.

In progress

Current compliance status

Building the program before the badge.

Marshal is not currently SOC 2 or ISO 27001 certified. We are building a staged security program aligned to practical controls for a small managed-service operator. Independent assessment will follow when the Control Plane and Data Plane are sufficiently mature.

Internal policies drafted

Access control, credential management, incident response, and business continuity.

CAIQ readiness baseline complete

Internal working assessment. Not submitted to CSA STAR.

Independent security assessment planned

No penetration-test or third-party audit claim is made today.

SOC 2 deferred

Pursued when operating maturity and buyer demand justify it.

Security library

Answers before the questionnaire.

Public summaries explain how Marshal handles trust. Detailed policies and diligence materials can be shared with qualified customers after review.

Public

Credential-handling principles

Control Plane, Data Plane, and agent boundaries

Infrastructure and provider summary

Core providers and operating roles

View providers

Available after review

Access Control Policy

Prepared for approval

Secrets and Credential Management Policy

Prepared for approval

Incident Response Policy

Prepared for approval

Business Continuity and Disaster Recovery Plan

Prepared for approval. Recovery objectives are not yet validated.

CAIQ v4.1 readiness baseline

Internal draft. Not publication-ready.

Vulnerability assessment

Not yet available

Core service providers

Marshal uses established managed platforms for hosting, data, delivery, source control, credential management, and frontier-model access.

VercelSupabaseCloudflareGitHubInfisical1PasswordOpenAIAnthropicComposio, planned

Composio is not currently deployed or authorized for production use. A formal subprocessor and data-location summary will be published after provider responsibilities and deployment regions are verified.

Responsible disclosure

If you believe you have found a vulnerability affecting Marshal, please report it directly. We will acknowledge the report, investigate it, and keep you informed as we work toward resolution.

Report a vulnerability