Skip to main content

Security

Security at MarquIQ

Credentials, content, and infrastructure. The short version: strong defaults, no clever shortcuts, and full transparency on what we do and who we rely on.

Last updated

Credential storage

  • Per-organization encryption keys (AES-256).
  • Master key lives on the VPS, never in source control.
  • Audit log entry for every credential access.
  • Token revocation deletes credentials within one hour.
  • OAuth scopes are minimized to posting and reading only.

Network security

  • TLS 1.3 for all traffic.
  • HSTS with preload on all production domains.
  • Strict Content Security Policy on authenticated routes.
  • Rate limiting on every public endpoint.
  • Cloudflare in front for DDoS absorption.

Infrastructure

  • Primary region: Hetzner Falkenstein (EU).
  • Encrypted off-site backups, tested monthly.
  • Postgres with row-level security enforcing tenant isolation.
  • Redis for job queue, not for secrets.
  • No third-party analytics pixels on authenticated pages.

Vulnerability disclosure

Email security@marquiq.com. PGP key fingerprint is published in /.well-known/security.txt. We acknowledge reports within 48 hours and aim for initial triage within 72. Good-faith researchers are not subject to legal action.

Subprocessors

The full list is in the Privacy Policy. Changes are announced 30 days in advance via email to admin accounts.

Frequently asked questions

Does MarquIQ store my social media credentials in plain text?

No. OAuth tokens are encrypted at rest with per-organization keys using AES-256. The master key is stored on the VPS, never in source control, and is rotated on a schedule.

Can MarquIQ employees read my content or credentials?

No. Production access requires ephemeral credentials approved per session and is audit-logged. No engineer has standing access to customer credential stores.

Is MarquIQ SOC 2 certified?

SOC 2 Type I is targeted for Q4 2026. Type II will follow. We publish our roadmap and maintain a security questionnaire available on request for enterprise evaluation.

Where is my data stored?

Primary data is stored in the European Union (Hetzner, Falkenstein) with encrypted backups in Helsinki. US data residency is available on Agency plans.

How do I revoke access if a MarquIQ credential is compromised?

Each platform connection has a one-click revoke button in Settings. Tokens are invalidated within 60 seconds of revocation and purged from storage within one hour.