MarketWatch Intel

Security

How we hold customer data — and what we don't hold.

Scope of customer data

MarketWatch Intel does not need to ingest your internal data to deliver the weekly Compass brief. We hold: your account contacts, your billing details, your tracked competitor list, your custom rule thresholds, and the editorial preferences your CSM has captured in the system prompt. We do not hold: your customer database, your SKU catalogue, your sales numbers, your CRM data, or your marketing spend.

Compliance

SOC 2 Type II — most recent audit completed February 2026 by Prescient Assurance LLP, scope covering Security and Availability. Report available under mutual NDA. ISO 27001:2022 — certification anticipated Q3 2026; we are in the implementation phase. GDPR — we operate under the controller-to-processor model with a published Data Processing Addendum. Standard Contractual Clauses (2021/914) apply for all UK and EU customers. UK GDPR — we are registered with the ICO (registration number Z-A-9914712).

Data residency

EU and UK customer data is stored in AWS eu-central-1 (Frankfurt). APAC customer data is stored in AWS ap-southeast-1 (Singapore). North American customer data is stored in AWS us-east-1 (N. Virginia). Customers can request a specific residency at the start of an engagement.

Encryption

At rest: AES-256-GCM via AWS KMS with customer-managed keys available on the Scale tier. In transit: TLS 1.2 minimum, TLS 1.3 preferred, with HSTS pre-loading on all marketwatchintel.io subdomains.

Sub-processors

We publish the full sub-processor list as a separate page maintained by our Security team. The current list (April 2026): AWS (cloud), Vercel (front-end hosting), Google AI Studio (Gemini for narrative generation), Postmark (transactional email), Slack (incoming webhook delivery), Stripe (billing), HubSpot (CRM), Linear (engineering issue tracking). Customers are notified at least 30 days before any addition or material change.

Vulnerability disclosure

Send reports to security@marketwatchintel.io. We acknowledge within 24 hours, triage within 72, and pay between US$250 and US$5,000 for confirmed reports based on severity. We do not require an NDA for disclosure.

Incident response

72-hour customer-notification commitment for any confirmed material incident. Post-incident write-up published to all affected customers within 30 days, regardless of regulatory threshold. We have not had a material customer-data incident since founding.