Legal

Security Statement

Our security program in plain language. The technical companion to our compliance and privacy commitments.

Effective·February 1, 2026
01

Overview

Security is foundational to Market Fortress because public-company customers entrust us with material non-public information. Our four-layer defense model is designed for this responsibility from the database to the AI inference layer.

02

Multi-Tenant Isolation

Every Postgres table enforces row-level security scoped by issuer_id. Application code cannot bypass it. There is no path for one customer's queries to return another customer's data, by construction.

03

Encryption

AES-256-GCM at rest for all material non-public information. TLS 1.3 in transit for all client and inter-service traffic. Data Encryption Keys are wrapped per user with Key Encryption Keys held in FIPS 140-3 compliant hardware security modules.

04

Identity and Access

Authentication is managed via Supabase Auth with WebAuthn / FIDO2 passwordless support and mandatory MFA for administrative functions. Session tokens are short-lived JWTs with refresh-token rotation.

05

AI Data Isolation

Public-record documents route through the Gemini API for maximum extraction accuracy. Documents classified as material non-public information route to Vertex AI in a customer-isolated GCP VPC. Vertex inputs are contractually prohibited from training shared models or being accessed by Google or any third party.

06

Audit and Immutability

Every mutation to Vault records, Cap Table entries, filings, board actions, and material events is logged with actor identity, IP, timestamp, and full before/after snapshots. The audit table is append-only at the database level. There are no soft deletes of mutation history.

07

Monitoring and Incident Response

Continuous monitoring of authentication anomalies, rate limits, and structural integrity. Incident response plan with defined roles, communication templates, and a 72-hour breach-notification commitment.

08

Post-Quantum Hybrid Mode

We support optional ML-KEM hybrid key exchange alongside classical algorithms for forward-secrecy in the post-quantum era. Available to Enterprise customers as a configuration option.

09

Vulnerability Reporting

If you discover a security vulnerability, please report it to security@marketfortress.app. We acknowledge within one business day and provide regular updates through resolution. We do not pursue legal action against good-faith researchers.

10

Documentation

For deeper technical detail, see our Security Whitepaper, Attestation Letter, and Security One-Pager.

Effective February 1, 2026. © 2026 Market Fortress.
Questions? legal@marketfortress.app
Other Legal Documents
Terms of ServicePrivacy PolicyComplianceData ProcessingSecurity Whitepaper