This section provides answers to common questions about the security and privacy of Marker.io, including data storage, encryption, security measures, data retention policies, incident handling, accreditation, vendor assessment, and bug reporting.
Learn more about our security commitment here → https://marker.io/security
Frequently Asked Questions
Where do you store my data?
Where do you store my data?
As a Marker.io user, your data is stored in our secure cloud environment, hosted by Amazon Web Services. The data is geographically located in the eu-west-1 region, Ireland
AWS data centers are monitored by 24×7 security, biometric scanning, video surveillance, and more. AWS is SOC2 and ISO-27001 certified.
Is my data encrypted?
Is my data encrypted?
Yes.
Data in transit between end-users and Marker.io’s cloud environment is encrypted using HTTPS over TLS 1.2. This is verifiable by an independent check that can be performed via SSL Labs
In addition, we also use AES-256 bit encryption to secure your database connection credentials and data stored at rest.
How do you ensure the security of integration?
How do you ensure the security of integration?
Integrations are a big part of what makes Marker.io special. We use the OAuth standard to authenticate you and get permission to access your tools. We never get your passwords, we encrypt all data, and you can revoke access anytime, easily.
Do you back up data?
Do you back up data?
All customer databases are backed up every 6 hours. We replicate core databases across multiple zones in the event of a site disaster.
What’s your development stack?
What’s your development stack?
We run on Node.js, Vue.JS, AWS & MongoDB
Who is responsible for your security program?
Who is responsible for your security program?
Security is directed by Marker.io’s Chief Technology Officer. We also have a full-time DevOps manager on staff.
Who can access production data?
Who can access production data?
Our approach will always be to provision on a ‘need-to-know’ basis. Only a limited number of skilled engineers, whose job function is to support and maintain the Marker.io environment, are permitted access to Marker.io’s production environment. SSH keys and credentials are rotated regularly and 2-factor authentication is enforced whenever possible.
Do you conduct penetration tests?
Do you conduct penetration tests?
We are currently in the process of hiring an external firm to conduct a penetration test at both the application and network levels. That being said, we regularly audit our systems and scan for vulnerabilities internally.
Until we have our penetration test results, we allow customers to conduct their own penetration tests on our infrastructure. We simply ask you to give us notice ahead of time so that we don’t mistake your test for a genuine threat. You can reach out at security@marker.io if you plan to run one.
How frequently does Marker.io run security training?
How frequently does Marker.io run security training?
Security training is provided to all new team members during their onboarding. The training aims to provide a baseline understanding within the context of Marker.io, its values and how we appropriately implement controls to help protect Marker.io and the data we store.
What controls have been implemented for detecting incidents?
What controls have been implemented for detecting incidents?
Our DevOps team uses a combination of services to proactively monitor the infrastructure, networks, and systems. We have adopted an approach strategy that covers appropriate application security checklists to remediate any vulnerabilities. The team uses a combination of tools such as Cloudflare WAF, Amazon CloudWatch, Rapid7 InsightOps, and AWS Network Firewall to strengthen our security capabilities.
What is your process for reacting to security incidents?
What is your process for reacting to security incidents?
We take security very seriously at Marker.io due to the sensitivity of our customers' data. We review security issues as soon as possible and you can report them by emailing security@marker.io.
We have alert notifications sent to the appropriate engineers via email, SMS, or integrations with uptime management tools, allowing us to detect incidents before customers are even aware. In case of a potentially severe security incident, we're committed on informing any affected users.
You can also find our status page here.
Do you have a status page?
Do you have a status page?
Yes, you can find our status page here.
What accreditation does Marker.io have?
What accreditation does Marker.io have?
We run our infrastructure on AWS which is SOC 2 and ISO-27001 certified. We are currently working toward getting our own accreditation for SOC2.
How do you assess vendors?
How do you assess vendors?
We have a thorough process for evaluating which vendor we partner with, including reviewing security and data privacy practices. You can find a list of our data sub-processors here →.
Do you run a bug bounty program?
Do you run a bug bounty program?
We do not currently run a bug bounty program, but we encourage anyone to report vulnerability issues to our security team. We review all messages sent at security@marker.io
How can I report a bug or vulnerability issue?
How can I report a bug or vulnerability issue?
You can reach out to our security team at security@marker.io, or use the in-app chat and we will route your message to our security team.
Can you fill out my security assessment?
Can you fill out my security assessment?
We can fill out security questionnaires for customers who commit to our Enterprise plan. If you plan to buy a Starter or Team plan, you should find enough information on our website and help center to fill out your questionnaire yourself.