Security you can trust, not just claim.

ShieldMarc is a UK company. Our infrastructure runs on EU-based cloud providers with data centres located exclusively within the European Union. All data is stored and processed within the EU.

Your data never leaves EU jurisdiction. We do not use infrastructure providers that process or store data in the US. All data handling is subject to GDPR and UK data protection law.

All data in transit is encrypted using TLS 1.3. Data at rest is encrypted using AES-256 across all storage layers.

Payment data is handled exclusively by our PCI-compliant payment processor. Card numbers, CVVs and banking details never touch ShieldMarc servers. We store only tokenised billing references.

Every customer organisation is isolated at the database layer using enforced row-level access controls. Every query is automatically scoped to the authenticated tenant by the database engine itself, not application code.

Cross-tenant data access is not possible by construction. No misconfiguration at the application layer can expose one tenant's data to another.

ShieldMarc uses three roles within each organisation:

• Owner: Full access. Organisation transfer, billing, member deletion.
• Admin: Can manage domains, invite members and configure modules.
• Member: Read-only access to monitoring data and reports.

Owner-only actions, including subscription changes, organisation transfer and member removal, require owner authentication and are not delegatable.

Every significant action is written to an audit log with actor identity, timestamp and IP address. Logs are immutable and accessible to owners from the dashboard.

What we store: domain names, DMARC aggregate report data, SSL certificate snapshots, DNS record snapshots, uptime check results, account email addresses, and audit log entries.

What we never store: email message content (body text), payment card data, or personally identifiable information beyond account email addresses. Forensic DMARC reports (RUF) may contain message headers, but never email body content.

Retention: Your data is retained for the duration of your subscription plus 30 days after cancellation, giving you time to export anything you need. After 30 days, all organisation data is permanently deleted.

GDPR: ShieldMarc is the data controller for all customer data. You have the right to access, correct and delete your data at any time. To request deletion, email [email protected].

ShieldMarc infrastructure is monitored continuously across application and database layers. We target high availability and receive automated alerts for any degradation.

In the event of an incident affecting customer data or monitoring accuracy, affected customers will be notified within 72 hours via the email address on their account.

No formal SLA is published at this time. MSP customers should contact us to discuss contractual availability requirements.

ShieldMarc applies automated security controls across the full development and deployment lifecycle. Every release is scanned before it reaches production.

• Web application scanning: Automated OWASP Top 10 scans on every release, testing for XSS, injection, and misconfiguration.
• Secret scanning: Pre-commit and CI checks prevent credentials, API keys, or tokens from entering the codebase.
• Image scanning: Every deployment artifact is scanned for OS-level and library vulnerabilities, plus embedded secrets, before release.
• Dependency auditing: All dependencies are checked for known CVEs on every build.
• Security headers: Content Security Policy, HSTS with preload, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy are enforced on all responses.
• WAF and DDoS protection: All traffic passes through Cloudflare, providing web application firewall rules, bot management, and DDoS mitigation at the edge.
• Rate limiting: API endpoints are rate-limited to prevent abuse and credential stuffing.
• SSRF protection: User-supplied domain inputs are validated against internal network ranges to prevent server-side request forgery.

If you discover a security vulnerability in ShieldMarc, please report it responsibly. Email [email protected] with a description of the issue and steps to reproduce.

We target a 5 business day initial response. We ask that you:

• Do not access or modify data belonging to other customers.
• Do not publicly disclose the vulnerability before we have had a chance to address it.
• Act in good faith throughout the disclosure process.

We do not currently operate a formal bug bounty programme, but we are grateful to researchers who help us improve security.

ShieldMarc is a growing product and we are working toward formal third-party security certifications, starting with the foundations and building up.

MSP customers will be notified directly when certifications are achieved. If you need documentation for a vendor assessment or compliance review, contact [email protected].