Security at Marvin Labs
A small company being honest about a serious topic. We host on AWS, we do not train models on customer data, and the core product works without you uploading a single proprietary document. The gaps are documented below.
The short version
Marvin Labs is a small company that does not pretend to be bigger than it is. We host on AWS in a single region. We do not train models on customer data. We do not ingest our customers' proprietary research or portfolio holdings unless the customer explicitly uploads them. Formal certifications are not in place today. We answer vendor due diligence questionnaires directly and in full, with honest answers rather than aspirational ones.
This page is the honest version. If your InfoSec team needs something more formal, email alex@marvin-labs.com and we will work through your DDQ.
What we do not touch
This is the most important part of the page. Marvin Labs analyses public financial content. The pipeline ingests filings, earnings calls, press releases, investor presentations, and conference transcripts from company investor relations pages and official sources like SEC EDGAR. See Automated Data Import for the full source list.
Customers do not need to upload anything for the core product to work. An analyst can run the workflow end to end (chat, agents, guidance tracking, sentiment) on the public-data layer without ever handing us a proprietary document. Your research notes, models, portfolio holdings, client lists, and internal memos stay with you.
The exception: if a customer explicitly uploads a document to analyse inside the product, that document is processed the same way as a public filing and stored in their account. That is a deliberate, opt-in action. No ambient scanning of emails, drives, or terminals.
Where data lives
- Cloud provider: AWS
- Region: US East 1 (Northern Virginia)
- Encryption in transit: TLS 1.2+ on all customer-facing endpoints
- Encryption at rest: AES-256 for all managed storage services
- Data classes stored: account information (email, plan, billing metadata), query and agent execution history, uploaded documents where applicable
If a customer needs EU hosting or a private-cloud deployment, that is available through the Pro plan on request. See pricing for detail.
Model training
Marvin Labs does not train models on customer queries or uploaded content. That is true for our internal models and for every third-party model provider we call. No-training controls are enforced at the API level for each provider, and the audit trail for those flags sits in our infrastructure code.
Chat content is used to generate the immediate response and stored in account history for the customer's reference. Nothing more.
Retention and deletion
Customer data retention is configurable on paid plans. Customers can set the retention window for query history and uploaded documents. Deletion requests are typically completed within five business days. Email alex@marvin-labs.com with the scope of the request.
Authentication
- Username and password: available on all plans, with industry-standard hashing and session management.
- Multi-factor authentication (MFA): available on the Pro plan.
- Single sign-on (SSO, SAML or OIDC): available on the Pro plan. Contact alex@marvin-labs.com to configure.
See the pricing page for the plan breakdown.
Subprocessors
The third-party services that process customer data:
| Subprocessor | Purpose | Data |
|---|---|---|
| Amazon Web Services | Cloud hosting and storage | All customer data |
| Anthropic | Large language model inference | Query content during processing |
| OpenAI | Large language model inference | Query content during processing |
| Stripe | Payments | Billing information |
| Loops | Transactional and marketing email | Email address, account metadata |
| PostHog | Product analytics | Pseudonymised usage events |
| Sentry | Error monitoring | Error traces and stack information |
| Google Tag Manager | Marketing analytics on public website | Anonymous web traffic metadata |
LLM providers are called with training-disabled flags on. Payment details are handled by Stripe directly. We do not store card numbers.
Certifications
Marvin Labs does not hold SOC 2, ISO 27001, or equivalent formal certifications today. We will pursue them when a customer requires certification as a condition of deployment, and the bridge in the meantime is direct DDQ engagement: we document our controls on request, answer questionnaires in full, and cooperate with third-party penetration tests on request.
What we do not offer today
Being honest about gaps matters more than pretending they are not there.
- No formal certifications. We will document our controls on request and pursue certification when required.
- No public status page. We respond to incidents directly with affected customers. A status page will be added as the customer base grows.
- No published SLA. Uptime is best-effort. Pro customers can negotiate contractual SLAs on request.
- No EU data residency by default. Available on the Pro plan via private-cloud deployment.
If any of these block your procurement process, email alex@marvin-labs.com and we will work through it.
Why this profile actually fits institutional research
The default assumption is that bigger vendors are safer. Worth pushing back on a few of those defaults:
- No shared tenancy of your proprietary work. The core product runs on public data. There is no model trained on your queries to leak into another customer's session.
- Single point of accountability. The founder (alex@marvin-labs.com) owns the security posture end to end. There is no triage chain between you and the person who can make a decision about your data.
- No acquisition-driven re-routing of data. Bootstrapped, no outside investors, no scheduled liquidity event. The data handling commitments on this page are stable for the same reason the roadmap is.
None of this substitutes for SOC 2 when SOC 2 is required. It does substitute for a lot of the implicit assumptions that drive vendor selection in the absence of certification.
Vendor due diligence
Send your DDQ, security questionnaire, or procurement form to alex@marvin-labs.com. We return completed questionnaires directly, with honest answers rather than aspirational ones. Expected turnaround: under one week for standard questionnaires, longer if a custom control matrix is required.
Reporting a security issue
If you believe you have found a security vulnerability in Marvin Labs, email alex@marvin-labs.com with details. We will acknowledge within one business day and coordinate a fix. Responsible disclosure is appreciated.
Start your free evaluation
Analyze 15 leading companies immediately. No registration, no credit card, no sales call.
Jump straight in, or book a demo if you'd like a walkthrough.