Security

• In transit: TLS 1.2+ for every connection (web, API, mobile). HTTPS-only, HSTS enforced.
• At rest: AES-256 via the managed Postgres provider (Neon) on encrypted volumes. Backups are encrypted to the same standard.
• Secrets: Application secrets stored in Railway's managed secrets store, scoped per environment, never written to logs.

• Every row in every business-data table carries an org_id column and every API query is tenant-scoped. There is no shared catalog, shared competitor index, or shared rebate pool across organisations.
• Buying-group clean rooms compute aggregates server-side without ever materialising a cross-member join. Members see only what their administrator explicitly grants.
• Background workers (matching, scraping, alerting) read from the same tenant-scoped accessors as the application tier — no privileged data path bypasses the org boundary.

• Region: Australian-hosted by default (Sydney). Customer data does not leave the Australian region without explicit consent in writing.
• Infrastructure: Railway managed services on top of AWS underlying infrastructure (SOC 2 Type II, ISO 27001 inherited at the infra layer).
• Database: Neon serverless Postgres with point-in-time recovery and multi-AZ durability.

• Role-based access inside each org: owner, admin, and member. Approval authority (margin floor breaches, manager sign-off) is gated to owner and admin.
• SSO / OAuth available on Business tier and above. SCIM provisioning on Enterprise.
• API keys are scoped per integration with rotation and revocation controls. We do not store passwords — we hash with Argon2id.

• Every margin-affecting decision (approval, override, rebate edit, cost-structure change) writes an append-only audit_events row capturing the actor, timestamp, frozen economics, and reason.
• Audit events are exportable as CSV/JSON for finance and compliance review. They're never amended, never deleted.
• Margin calculations on the Decision Desk are deterministic — the same inputs produce the same number six months from now. AI explains. Code calculates.

• SOC 2 Type I: target Q4 2026. Controls already operating; formal attestation engagement in progress.
• Australian Privacy Act (APP): MarginShield is operated by A2E Group Pty Ltd, an Australian entity, and follows the Australian Privacy Principles for personal information handling.
• GDPR: Available via Data Processing Agreement — see our DPA.
• PCI scope: MarginShield never stores card data. Stripe handles all payment-card flows; we receive tokenised references only.

We monitor application health, error rates, and anomalous access patterns via Sentry and Better Uptime. Customers are notified of security-relevant incidents that affect their data within 72 hours of detection, in line with APP and GDPR requirements. Security questions or disclosure: security@marginshield.io.

• We do not move money, hold customer funds, or execute supplier payments. We compute margin and surface decisions.
• We do not share or sell competitor pricing data observed in your tenant. Public-web observations belong to your org and stay there.
• We do not train models on your data. Anonymised, aggregated usage analytics are kept for product improvement only.