Security

Last Updated: 16th August, 2021

Hosting and Physical Security

Marble servers are hosted on Heroku, an application platform that in turn uses services provided by Amazon Web Services (AWS). As such, Marble inherits the control environment which Amazon maintains and demonstrates.

Read more about AWS and Heroku security and certifications here:

Network Security

Marble services are accessible over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. Marble uses strong encryption algorithms with a key length of at least 128 bits.

Marble servers are accessible through HTTPS. Administrative access is granted only to select employees of Marble, based on role and business need.

Marble application architecture includes mitigation measures for common security flaws such as the OWASP Top 10. Marble application uses industry standard, high-strength algorithms including AES and bcrypt.

All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is logged and logs are retained for a minimum of 30 days.

Data Privacy

Marble has a data privacy. You can read the privacy policy here.

GDPR

Marble stores a minimum of Personally Identifiable Information (PII), and only as instructed by our Subscriber for the purposes of delivering the Marble Service. Per the GDPR principles, Subscribers should avoid sharing unnecessary personal data with Marble beyond basic information.

GDPR states that data controllers must provide users with specific information on how their personal data is being collected, used, stored and shared. As such, you may need to update your privacy policy to reflect your use of Marble as a data processor for the purposes of delivering your training program.

Marble follows the policies below that are relevant to GDPR:

  • The basis for processing: Marble collects and processes data to fulfill performance of our contract with our Subscriber. Each Subscriber, as the data controller, is responsible for determining the lawful basis for processing data and documenting EU data subject consent, if consent is the lawful basis for processing.
  • Data Storage: All data is stored securely in Ireland region on Amazon Web Services (eu-west-1)
  • Data Deletion, Correction, Editing, or Extraction: Marble will export, correct, or delete data upon request by the Subscriber. Delete requests must be submitted to hello@marbleteams.com and will be processed within 30 days of submission.
  • Consent: Marble is a data importer and data subject consent is the responsibility of the Subscriber as a data controller. Marble provides product functionality that assists the Subscriber in obtaining and documenting consent.
  • Marketing: Marble does not market to, nor resell, any Contact Data collected on behalf of the Subscriber.
  • Marble sub processors are Heroku for web hosting and database and AWS S3 for document storage (files uploaded in the application). Heroku stores and processes everything on AWS eu-west-1  (regarding database on heroku:https://devcenter.heroku.com/articles/heroku-postgresql#data-residency

Reporting Security Issues

Please contact us if you discover a vulnerability at hello@marble.so.