Martech LLC is engineered to be secure by default. This page describes our posture in plain language. We deliberately omit infrastructure specifics that would only help reconnaissance — if you're evaluating us under an NDA, the founder can walk you through detail.
Encryption
All traffic between your browser and Martech LLC is encrypted with TLS. All application data at rest is encrypted using the encryption primitives of our managed data providers. Secrets (API keys, password hashes, session keys) are stored only as bcrypt hashes or in encrypted environment variables — never in source code.
Authentication
User accounts use magic-link sign-in or password + optional time-based one-time password (TOTP). Sessions are short-lived, rotated on activity, and bound to HttpOnly + Secure cookies with strict SameSite policy. Privileged authentication requires two factors and is gated to an IP allowlist in production.
Access control
Every data request is checked against the signed-in user, so one tenant cannot read another's data even in the case of an application bug. Privileged actions are recorded to an append-only audit log.
Abuse prevention
We rate-limit by identity rather than by IP — authenticated users, API keys, device fingerprints, and finally hashed IP, in that order — so legitimate users on shared networks (corporate proxies, CGNAT, mobile networks) are not penalized while abuse is still stopped.
A lightweight inspection layer at the edge rejects obvious attack signatures — header smuggling, oversized payloads, well-known injection patterns — before any application code runs.
Third parties
We do not load third-party analytics, advertising, session-replay, or tracking scripts on customer-facing pages. The marketing site's third-party JavaScript footprint is zero. Where we depend on data-processor services (managed databases, transactional email), they operate under contracted agreements and our integration is minimal.
Supply chain
Production dependencies are version-pinned. Every release runs an automated audit for high-severity advisories before deploy. Secrets are scanned out of code automatically; the build refuses to ship if any are detected in the source tree.
Reporting a vulnerability
If you find a security issue, we want to hear about it. DM the founder on LinkedIn with a short description of the issue and a way to reach you. We honor responsible disclosure — give us a reasonable window to fix the issue before public disclosure and we'll publicly credit you when the fix ships, unless you ask us not to.
Please don't test against production accounts you don't own. Please don't exfiltrate customer data. If you need a test workspace, ask first.
What we will not do
We will not introduce third-party trackers without telling you. We will not weaken encryption defaults silently. We will not store credentials in plaintext anywhere. We will not pretend an incident didn't happen — if customer data is materially affected, we will tell affected customers and post a public post-mortem.