Credentials at rest
Customer-authorized credentials live in Infisical. Human credentials and recovery material live in 1Password, not in code or agent definitions.
OperationalSecurity program in progress
Marshal designs, deploys, and operates agents with authority kept narrow, credentials kept out of agents, and customers kept in control of approvals and rules.
Practical safeguards for the systems, people, and agent authority behind Marshal's Managed AI Ops service. Select any category to see the underlying controls.
Trust is enforced through identity, credential, runtime, and recovery boundaries. Current gaps stay visible until they are closed and tested.
Customer-authorized credentials live in Infisical. Human credentials and recovery material live in 1Password, not in code or agent definitions.
OperationalEncrypted transport is required for application and administrative traffic across Marshal's managed cloud providers.
Documented commitmentCredentials are resolved for authorized work. Agents do not receive general vault access or become the durable credential owner.
Documented commitmentAutomated database backups, secrets recovery testing, and annual recovery exercises are explicit open work items.
In progressCurrent compliance status
Marshal is not currently SOC 2 or ISO 27001 certified. We are building a staged security program aligned to practical controls for a small managed-service operator. Independent assessment will follow when the Control Plane and Data Plane are sufficiently mature.
Access control, credential management, incident response, and business continuity.
Internal working assessment. Not submitted to CSA STAR.
No penetration-test or third-party audit claim is made today.
Pursued when operating maturity and buyer demand justify it.
Security library
Public summaries explain how Marshal handles trust. Detailed policies and diligence materials can be shared with qualified customers after review.
This page
Control Plane, Data Plane, and agent boundaries
Core providers and operating roles
security@runmarshal.com
Prepared for approval
Prepared for approval
Prepared for approval
Prepared for approval. Recovery objectives are not yet validated.
Internal draft. Not publication-ready.
Not yet available
Marshal uses established managed platforms for hosting, data, delivery, source control, credential management, and frontier-model access.
Composio is not currently deployed or authorized for production use. A formal subprocessor and data-location summary will be published after provider responsibilities and deployment regions are verified.
If you believe you have found a vulnerability affecting Marshal, please report it directly. We will acknowledge the report, investigate it, and keep you informed as we work toward resolution.
Report a vulnerability