Security

Security is foundational to MarketiQ AI, operated by Trayarunya Ventures. Our customers trust us with their marketing content, connected social and advertising accounts, leads, and business data — and we treat that trust as our most important asset.

This page describes the technical and organizational measures we use to protect your data across the MarketiQ AI web platform, desktop applications, and Chrome extension. For how we collect and use data, see our Privacy Policy and Data Handling Practices.

MarketiQ AI runs on hardened, industry-leading cloud infrastructure:

• Cloud providers: Our services are hosted with reputable cloud providers that maintain certifications such as ISO 27001, SOC 2, and PCI DSS at the infrastructure layer.
• Network isolation: Production systems run in isolated networks with strict firewall rules. Databases are never exposed directly to the public internet.
• Environment separation: Development, staging, and production environments are fully separated. Production data is not used in development or testing.
• Hardening & patching: Operating systems, containers, and dependencies are kept up to date, with security patches applied on a priority schedule.

We encrypt your data both in transit and at rest:

• In transit: All traffic between your browser/apps and our services is encrypted using TLS 1.2 or higher. Plain HTTP is not supported on production endpoints.
• At rest: Databases, backups, and file storage are encrypted at rest using AES-256 or equivalent provider-managed encryption.
• Secrets & tokens: Connected-account access tokens (LinkedIn, X/Twitter, Meta, Google, HubSpot, Shopify) and API credentials are encrypted at rest with application-level encryption in addition to disk encryption. They are never logged or exposed in plaintext.
• Passwords: Account passwords are hashed with a modern adaptive hashing algorithm. We never store, see, or transmit plaintext passwords. The desktop LinkedIn Copilot never stores your LinkedIn password — login happens inside an isolated browser session on your machine.

We enforce least-privilege access throughout the platform and the company:

• Customer-facing controls: Workspaces support role-based access control (owner, admin, manager, editor, viewer) so you decide exactly what each team member and client can see and do. White-label client portals expose only the approvals and reports you choose to share.
• Authentication: Sessions use signed, expiring tokens. OAuth 2.0 is used for all third-party platform connections — we never ask for your social media passwords.
• Internal access: Access to production systems is restricted to a small number of authorized engineers, protected by strong authentication, and granted only as needed for operations and support. Administrative access is logged and reviewed.
• Tenant isolation: MarketiQ AI is multi-tenant by design. Every query is scoped to your organization and workspace, preventing cross-tenant data access.

Security is built into how we develop software:

• Secure development lifecycle: Code is peer-reviewed before release, and changes to authentication, authorization, or data handling receive heightened scrutiny.
• Input validation: All API inputs are validated and sanitized server-side to protect against injection, XSS, CSRF, and related classes of attack.
• Dependency management: Third-party dependencies are monitored for known vulnerabilities and updated promptly.
• Rate limiting & abuse prevention: APIs implement rate limiting, and automated monitoring detects anomalous or abusive behaviour.
• Platform-safe automation: Outreach and publishing features enforce human-pace daily caps and respect the policies of connected platforms — no credential scraping, no headless bot farms.

We maintain continuous visibility into the health and security of our systems:

• Monitoring: Production services are monitored 24/7 for availability, performance, and security anomalies, with automated alerting to the engineering team.
• Audit logging: Security-relevant events (logins, permission changes, platform connections/disconnections, administrative actions) are logged with timestamps for investigation and accountability.
• Incident response: We maintain an incident response process covering identification, containment, eradication, recovery, and post-incident review.
• Breach notification: If a security incident affects your personal data, we will notify affected customers and relevant supervisory authorities without undue delay and, where required by law (including GDPR Article 33), within 72 hours of becoming aware.

• Backups: Databases are backed up automatically on a regular schedule, with encrypted backups retained to enable point-in-time recovery.
• Recovery testing: Restore procedures are tested periodically to verify backup integrity and recovery time objectives.
• Resilience: Services are deployed with redundancy so that the failure of a single component does not result in data loss.

• Confidentiality: All employees and contractors are bound by confidentiality obligations covering customer data.
• Security awareness: Team members receive security and privacy guidance appropriate to their role, including secure handling of customer data and phishing awareness.
• Vendor review: Sub-processors and service providers are vetted for security and data-protection practices before use and are bound by data processing agreements. See Data Handling Practices for the categories of sub-processors we use.
• Device security: Company devices with access to production systems use disk encryption, screen locks, and managed updates.

We welcome reports from security researchers and users. If you believe you have found a vulnerability in MarketiQ AI:

• Email admin@trayarunyaventures.com with the subject line "Security".
• Include enough detail to reproduce the issue (steps, URLs, request/response samples, screenshots).
• Please do not access other users' data, disrupt the service, or publicly disclose the issue before we have had a reasonable opportunity to remediate it.

We acknowledge security reports with priority — typically within 24–48 hours — and keep you informed as we investigate and fix confirmed issues. We do not pursue legal action against researchers who act in good faith within these guidelines.