Hosting and Physical Security
Marble servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). As such, Marble inherits the control environment which Amazon maintains and demonstrates.
Read more about AWS and Heroku security and certifications here:
Marble services are accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Marble uses strong encryption algorithms with a key length of at least 128 bits.
Marble servers are accessible through HTTPS. Administrative access is granted only to select employees of Marble, based on role and business need.
Marble application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. Marble application uses industry standard, high-strength algorithms including AES and bcrypt.
All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.
Marble stores a minimum of Personally Identifiable Information (PII), and only as instructed by our Subscriber for the purposes of delivering the Marble Service. Per the GDPR principles, Subscribers should avoid sharing unnecessary personal data with Marble beyond basic information.
Marble follows the policies below that are relevant to GDPR:
- Data Privacy:
- The basis for processing: Marble collects and processes data to fulfill performance of our contract with our Subscriber. Each Subscriber, as the data controller, is responsible for determining the lawful basis for processing data and documenting EU data subject consent, if consent is the lawful basis for processing.
- Data Storage: All data is stored securely in Ireland region on Amazon Web Services (eu-west-1)
- Data Deletion, Correction, Editing, or Extraction: Marble will export, correct, or delete data upon request by the Subscriber. Delete requests must be submitted to firstname.lastname@example.org and will be processed within 30 days of submission.
- Consent: Marble is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Marble provides product functionality that assists the Subscriber in obtaining and documenting consent.
- Marketing: Marble does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.
- Marble sub processors are Heroku for web hosting and database and AWS S3 for document storage (files uploaded in the application). Heroku stores and processes everything on AWS eu-west-1 (regarding database on heroku: https://devcenter.heroku.com/articles/heroku-postgresql#data-residency
Reporting Security Issues
Please contact us if you discover a vulnerability at email@example.com
Last Updated: December 09, 2020