Marintel
Security

Built to protect what matters most.

Marintel is the platform of record for ship sale and purchase, newbuild contracts, and the confidential documents that move with each deal. Here is exactly how that data is protected.

Independent Penetration Testing
Marintel undergoes external penetration testing on a recurring monthly basis by a third-party security firm. The most recent report is available to enterprise prospects on request under NDA.

What's live today

Protection at every layer

The following controls are live in production across every workspace on the platform.

Workspace Isolation

Every request is automatically restricted to the workspace it belongs to. One customer's documents and records are never reachable from another's — enforced at the data layer, not just in application logic.

Regression-Resistant Build Pipeline

Our CI pipeline rejects any code change that could bypass workspace scoping. Customer separation cannot quietly erode as the product evolves — a breaking change fails the build before it ships.

Fail-Closed Access Control

If a request arrives without a verified workspace context it is denied outright. The default is "no", not "everything". Least-privilege room access is re-checked server-side on every request.

Tamper-Evident Audit Trail

Key events are written to an append-only log. Each entry is cryptographically chained to the one before it and signed with Ed25519. Any later edit or deletion to the historical record can be detected.

Passwordless Authentication

Sign-in uses email one-time passwords (OTP) — no passwords to store, leak, or brute-force. OTP comparisons use timing-safe equality checks to prevent timing attacks. Every session token is hashed before storage.

Encryption in Transit & at Rest

All connections are encrypted with TLS. Data at rest is encrypted with AES-256 across our infrastructure — both in the database and in object storage.

Database-Enforced Row-Level Security

The API connects as a dedicated, non-owner role (marintel_api) that cannot bypass workspace policies. Every workspace is scoped at the database layer — Postgres policies enforce isolation, not just application logic. A query outside the bound workspace returns zero rows, period.

Data Residency

Data is hosted in the United States by default. Enterprise customers can select the data residency region of their choice as part of their agreement.

Incident Response

Security incidents are handled by our team on a 24/7 basis. Enterprise agreements include defined response-time commitments. To report a suspected security issue, contact support@marintel.co.

Compliance Posture

Engineered against SOC 2 and ISO 27001 control frameworks. We are not yet SOC 2 or ISO 27001 certified — formal Type 1 certification is an active roadmap item. We don't display badges we haven't earned.

Infrastructure

Subprocessors

Marintel relies on a small set of established infrastructure providers, each independently certified. We maintain this list publicly and update it as it changes.

Supabase
Managed database infrastructure

Data encrypted at rest (AES-256) and in transit, with encrypted daily backups.

✓ SOC 2 Type 2 ✓ ISO 27001
Amazon Web Services
Cloud infrastructure & storage

Global cloud provider with the broadest and deepest compliance certifications.

✓ SOC 2 ✓ ISO 27001 ✓ FedRAMP

Coming next

Security roadmap

The following controls are designed and, in several cases, partially built, but are not yet live in production. We list them here so customers can see where the platform is heading.

KMS-backed per-workspace encryption keys
Centrally managed encryption keys with the option of a distinct key per customer workspace.
Zero-trust network architecture
No implicit trust between internal services; every internal call authenticated and authorized.
Field-level PII encryption at rest
Encryption of specific high-sensitivity fields, in addition to full-disk encryption.
SOC 2 Type 1 certification
Formal third-party attestation of our controls — an active roadmap item.
Self-hosted enterprise deployment
A dedicated deployment option for enterprise customers requiring full control within their own environment.

Talk to our security team

For a security questionnaire, the current subprocessor list, the latest penetration test report under NDA, or a conversation about enterprise residency and self-hosting, reach out directly.

Contact us →

Explore the platform