Security

Marcly processes sensitive data of your business and your customers. Security is not a feature — it's a baseline requirement. We apply defense in depth: each layer assumes the previous can fail and adds its own controls.

This page is a snapshot of actual practices in code and infrastructure, not aspirations. We update it when something material changes (last update: 2026-05-02).

In transit

• TLS 1.3 mandatory on all public connections (with HSTS, max-age 1 year).
• Strict Postgres certificate validation (rejectUnauthorized: true) — no downgrades.
• Session cookies with Secure + HttpOnly + SameSite=Lax flags.

At rest

• PostgreSQL database encrypted at disk level (provided by Railway).
• File storage (Cloudflare R2) encrypted by default per bucket.
• Per-tenant WhatsApp tokens encrypted with AES-256-GCM (envelope encryption with master key), v1. format with rotation support.

Hashes and secrets

• Passwords hashed with bcrypt cost 12 (Rust native binding, ~25 ms per hash).
• Logged IPs hashed with SHA-256 + salt (no IPs stored in cleartext).
• Verification tokens: 256 bits of entropy, hashed before persisting, single-use.

• NextAuth v5 with encrypted JWT sessions (not JWS — uses A256CBC-HS512).
• 14-day active session with rolling renewal every 24h (auto-revocation on inactivity).
• Captcha (Cloudflare Turnstile) on signup and anonymous public booking.
• Per-IP and per-email rate-limit on login (5 failures / 15 min per email, 20 / 15 min per IP).
• Bcrypt verification before delegating to NextAuth — prevents timing leaks.
• Automatic temporary lockout after suspicious bursts.

Marcly is multi-tenant: many businesses share infrastructure but can never see each other's data. We apply a strict pattern at every mutation query level:

• Every server action touching user-derived data uses composite where: { id, businessId }.
• Helper requireBusinessOwnership() derives businessId from session, NEVER from client input.
• Helper assertAffected() verifies the mutation touched exactly the expected row — if it touched 0, we log SecurityEvent: idor_attempt.
• External audit (May 2026) confirmed zero cross-tenant IDOR across 16 server actions.

• Hosting: Railway (United States), hardened Node 22 Docker container (USER non-root, multi-stage, no dev deps in runtime).
• Database: PostgreSQL managed by Railway (daily auto-backups + 7-day retention).
• File storage: Cloudflare R2 with custom domain images.marcly.app, strict allowlist of own bucket.
• CDN + WAF + DNS: Cloudflare (DDoS L3-7, bot management, geo-restrictions available).
• Email: Resend (DKIM + SPF + DMARC aligned on marcly.app).
• WhatsApp: Twilio Business API (HMAC-SHA1 signature verified on every webhook + idempotency by MessageSid).

Security headers

Set on every response:

• Content-Security-Policy with strict allowlist (own domains + R2 + Turnstile only)
• Strict-Transport-Security (HSTS, 1 year, includeSubDomains)
• X-Frame-Options: DENY, X-Content-Type-Options: nosniff
• Cross-Origin-Opener-Policy: same-origin + Cross-Origin-Resource-Policy: same-origin
• Referrer-Policy: strict-origin-when-cross-origin
• Permissions-Policy denying camera, microphone, geo, USB, bluetooth and sensors

The providers we rely on to operate the service:

Each is contractually bound to process data only per our instructions and apply equivalent security measures. Updated list in the Privacy Policy.

SAST + Dependency Scanning

• Semgrep CE in CI: blocks merge on known vulnerable patterns.
• OSV-Scanner in CI: blocks HIGH/CRITICAL CVEs on dependencies.
• Dependabot: weekly auto PRs for deps + actions + Docker.
• Gitleaks: secrets scanning in pre-commit and CI.

Manual audit

• Complete audit against OWASP Top 10 2021 + OWASP API Top 10 2023 + ASVS 4.0 Level 2 in May 2026.
• Re-audit planned before each major milestone.
• Mandatory code review on every change touching auth, crypto, multi-tenant or webhooks.

Observability

• SecurityEvent table logs: IDOR attempts, invalid Twilio signatures, lookups of non-ACTIVE channels, login lockouts.
• 90-day retention, automatic prune.
• Application logs with secret redaction (emails, JWTs, API keys, Bearer tokens, phones).

If a security breach affecting your data is confirmed:

• Notification: we'll email you within 72 hours of confirmation (aligned with GDPR Art. 33).
• Included info: what data was affected, when, what we did to contain, what you should do.
• Authority notification: when applicable (EU: relevant DPA; Brazil: ANPD; California: AG).
• Public postmortem: we'll publish a technical postmortem (without exploit-enabling details) on our blog within 14 days.

Commitment to good-faith researchers:

• We won't initiate legal action if you follow our rules (no DoS, no third-party data access, no destruction).
• Public credit in hall of fame (with your permission).
• No paid bug bounty program yet — it's on the roadmap once we gain traction.

What we have today and what's coming:

• ✅ OWASP Top 10 2021 + ASVS L2: audited, no open critical findings.
• ✅ GDPR / CCPA / LGPD: covered in policies; rights mechanisms available.
• 🟡 SOC 2 Type I: readiness assessment Q3 2026.
• 🟡 SOC 2 Type II: target 2027.
• 🟡 ISO 27001: when we reach 500+ active customers.
• ⚪ HIPAA: not applicable (we don't process PHI). If you want to use Marcly for medical services, contact us first.
• ⚪ PCI-DSS: not applicable (we don't store card data — payment processor handles it).

Vulnerabilities / responsible disclosure: security@marcly.app
General security questions: security@marcly.app
Privacy matters: privacy@marcly.app

Marcly · 75 avenida norte, local 3, San Salvador, El Salvador