Security & Compliance

MarkerKit is built for teams that care about data protection, reliability, and transparency.
This page outlines how we secure the platform across infrastructure, app code, and operations.

Last updated: 2025-10-29

1. Infrastructure Security

Architecture

Dockerized microservices with least-privilege networking.
TLS 1.2+ everywhere; HSTS enabled at the edge.

Providers / Locations

Cloudflare — DNS, DDoS protection, WAF, SSL termination, CDN.
Hetzner — container hosts for application workloads (EU).
Google Firebase — Auth, Firestore, Realtime DB (EU multi-region where available).
AWS — S3 (asset storage), SES (email), SSM/KMS for secrets (region: eu-central-1).
QuestDB — analytics events in a private network segment.
Stripe — payments (PCI DSS Level 1).

Secrets & Config

Managed via environment variables in a sealed secrets store (KMS/SSM).
No secrets in repo; access is role-scoped and audited.

2. Application Security

Authentication & Sessions

Firebase Auth (passwords never touch MarkerKit servers).
HTTP-only, Secure, and SameSite cookies.
Role-based access controls (project-scoped).

Data Isolation

Tenant data logically separated (per-project collections/buckets).
Signed URLs for media where applicable.

APIs

Admin & Client APIs require auth; JWT validation on every call.
Strict CORS for allowed origins.
Rate limiting and abuse detection on write endpoints.

Dependencies & Builds

Locked dependencies; automated vulnerability scans.
Distroless Node images; supply-chain scanning prior to deploy.
CI/CD with gated releases and reproducible builds.

3. Data Privacy

Data Minimalism

We collect basic account data (name, email) and billing metadata via Stripe.
Embeds do not require end-user PII.

Processing & Storage

Primary data residency in the EU. Cross-border transfers (e.g., Stripe/SES) follow SCCs.
Data Processing Agreement (DPA) available upon request.

Retention & Deletion

Project/account deletion on request or via dashboard.
Backups retained up to 30 days, then purged.

Cookies

Essential cookies for auth/session only; no advertising trackers.

4. Payments

All card data handled by Stripe (PCI DSS Level 1).
MarkerKit systems never store or process raw card numbers.

5. Monitoring & Incident Response

Health, error rates, and usage monitored continuously.
Centralized logs with access controls.
Incident playbooks with user notification where required.

6. Compliance

GDPR: Supported (access, rectification, erasure, export).
CCPA: We do not sell/share personal data; requests honored.
Encryption: TLS in transit; provider-level encryption at rest.
Accessibility: Keyboard focus and high-contrast options; accessibility statement available.

7. Sub-processors

We use the following service providers to deliver MarkerKit:

Provider	Purpose	Region / Notes
Cloudflare	DNS, CDN, DDoS, WAF, TLS	Global edge
Hetzner	App compute	EU (Germany)
Google Firebase	Auth, Firestore, RTDB	EU multi-region (where available)
AWS (S3, SES, SSM/KMS)	Storage, email, secrets	eu-central-1
Stripe	Payments	Global (PCI DSS L1)
QuestDB	Analytics events	Private EU environment

(We will notify customers of material sub-processor changes.)

8. Responsible Disclosure

If you believe you’ve found a vulnerability, email security@markerkit.com with details.
We aim to acknowledge within 48 hours and will coordinate remediation and disclosure.

9. Contact & Legal

Security & privacy: hello@markerkit.com
DPA & procurement: hello@markerkit.com

MarkerKit VCC
UIC 208561215
Registered in Sofia, Bulgaria