Four layers around the data.
SOC 2 ready. AES-256 at rest, per-issuer key isolation, row-level security on every table, and an immutable mutation log. The platform was built around the handling requirements for material non-public information rather than retrofitted to them.
Server-side enforcement on every layer. Every layer independently auditable.
Multi-tenant isolation
Row-level security on every Postgres table. Queries scoped by issuer_id at the policy layer. Cross-tenant access is blocked at the database, not in application code.
App-layer encryption
AES-256-GCM for MNPI at rest. Per-issuer key isolation backed by a FIPS 140-2 validated cloud KMS. Data encryption keys wrapped per user.
AI data isolation
Gemini for public records. Vertex AI for MNPI, under Google Cloud enterprise terms with no training-data use, no log retention, and no human review.
Audit and immutability
There are no soft deletes. Every mutation is logged with user, IP, timestamp, and before/after snapshots. Vault records are permanently sealed.
MNPI stays inside the tenant boundary.
Public-record documents route through Gemini for extraction accuracy. Documents classified as material non-public information route through Vertex AI inside a GCP VPC, under contractual terms that prohibit training-data use and exclude human review. Every routing decision is recorded in an append-only audit table.
The platform is a tool. Counsel signs.
Market Fortress drafts, surfaces, and routes. It does not file. The signing attorney remains the responsible party on every submission, with a complete record of what was reviewed, when, and by whom.
AI drafts only. Counsel signs.
Every Concierge-drafted section moves to a counsel review state before it locks. No filing leaves the platform without an explicit counsel sign-off recorded in the audit trail.
Frozen Vault snapshot per section.
The Vault state at draft time is hashed and stored alongside the section. Counsel can replay the exact context the AI used, line by line, months after the fact.
Privilege-scoped comments.
Comments and notes scoped to the counsel role live in a partition with no service-provider access. The platform operator cannot read attorney work product.
Full data extraction at exit.
On contract termination the issuer can extract the complete dataset (32 tables, JSON and CSV) at any time. There is no lock-in at the data layer.
Append-only audit log.
Every mutation is recorded with user, IP, timestamp, before/after snapshots, and a hash chain. The log is reviewable from inside the platform and exportable.
Uptime targets.
99.9% target during US market hours. Status and historical incidents will publish at status.marketfortress.app once the founding cohort is seated. Filing-deadline traffic is throttled before non-critical workloads.
For specific contractual language on liability, indemnification, or service-level commitments, request the master subscription agreement at legal@marketfortress.app.
For your security and procurement teams.
Security Whitepaper
Full architecture document covering encryption, AI isolation, key management, and audit infrastructure.
Attestation Letter
CEO-signed attestation summarizing our security posture for auditors and procurement teams. Not a substitute for an independent SOC 2 audit.
Security One-Pager
Quick-reference compliance summary suitable for vendor risk assessments.
Vulnerability Disclosure Policy
If you discover a vulnerability in the Market Fortress platform, we want to hear from you. We follow coordinated disclosure and will acknowledge every report within 2 business days.
Acknowledge in 2 business days
Every report receives an acknowledgment. We will confirm receipt and assign an internal ticket number.
Triage within 7 calendar days
We will assess severity, scope, and exploitability and communicate a remediation timeline.
Safe harbor for good-faith researchers
Market Fortress will not pursue legal action against researchers who comply with this policy and limit testing to their own accounts.
What to include in your report
A clear description of the vulnerability and its potential impact. The affected URL, endpoint, or component. Step-by-step reproduction instructions, including any payloads or request/response samples (do not exploit beyond what is necessary to demonstrate the vulnerability). Your name or handle if you wish to be credited.
Out of scope
Denial-of-service attacks. Social engineering of employees or customers. Physical security testing. Attacks requiring a compromised device or MitM certificate. Findings from automated scanners without demonstrated exploitability. Self-XSS and clickjacking on non-sensitive pages. Third-party services not directly operated by Market Fortress (Supabase, Vercel, Stripe, Resend, Google Cloud, DocuSign, Plaid).
Coordinated disclosure
Please notify us before publishing or sharing findings. We ask for a minimum of 90 days from acknowledgment before public disclosure, unless we agree to a shorter timeline. We will credit researchers by name or handle in our advisories unless you prefer anonymity.
Scope
In scope: marketfortress.app and all subdomains, the Market Fortress REST API (v1), the TypeScript SDK (@marketfortress/sdk), authentication flows, data isolation controls. Contact us if you are uncertain whether a specific testing activity is in scope before proceeding.
Prefer email? Send reports directly to security@marketfortress.app. The full policy is available in SECURITY.md.
Have a security question?
Our security team responds within one business day. We have answers for every standard vendor risk assessment.