Marintel is the platform of record for ship sale and purchase, newbuild contracts, and the confidential documents that move with each deal. Here is exactly how that data is protected.
What's live today
The following controls are live in production across every workspace on the platform.
Every request is automatically restricted to the workspace it belongs to. One customer's documents and records are never reachable from another's — enforced at the data layer, not just in application logic.
Our CI pipeline rejects any code change that could bypass workspace scoping. Customer separation cannot quietly erode as the product evolves — a breaking change fails the build before it ships.
If a request arrives without a verified workspace context it is denied outright. The default is "no", not "everything". Least-privilege room access is re-checked server-side on every request.
Key events are written to an append-only log. Each entry is cryptographically chained to the one before it and signed with Ed25519. Any later edit or deletion to the historical record can be detected.
Sign-in uses email one-time passwords (OTP) — no passwords to store, leak, or brute-force. OTP comparisons use timing-safe equality checks to prevent timing attacks. Every session token is hashed before storage.
All connections are encrypted with TLS. Data at rest is encrypted with AES-256 across our infrastructure — both in the database and in object storage.
The API connects as a dedicated, non-owner role (marintel_api) that cannot bypass workspace policies. Every workspace is scoped at the database layer — Postgres policies enforce isolation, not just application logic. A query outside the bound workspace returns zero rows, period.
Data is hosted in the United States by default. Enterprise customers can select the data residency region of their choice as part of their agreement.
Security incidents are handled by our team on a 24/7 basis. Enterprise agreements include defined response-time commitments. To report a suspected security issue, contact support@marintel.co.
Engineered against SOC 2 and ISO 27001 control frameworks. We are not yet SOC 2 or ISO 27001 certified — formal Type 1 certification is an active roadmap item. We don't display badges we haven't earned.
Infrastructure
Marintel relies on a small set of established infrastructure providers, each independently certified. We maintain this list publicly and update it as it changes.
Data encrypted at rest (AES-256) and in transit, with encrypted daily backups.
Global cloud provider with the broadest and deepest compliance certifications.
Coming next
The following controls are designed and, in several cases, partially built, but are not yet live in production. We list them here so customers can see where the platform is heading.
For a security questionnaire, the current subprocessor list, the latest penetration test report under NDA, or a conversation about enterprise residency and self-hosting, reach out directly.