MarketPush is a cloud‑native, multi‑tenant SaaS marketplace platform designed with enterprise‑grade security. Our SOC 2 Type II certification validates that our controls are both suitably designed and operating effectively. This document outlines the specific security measures MarketPush applies to protect client data, based on independently audited practices.

Core Security Principles

Confidentiality: Protecting sensitive data from unauthorized access.
Integrity: Ensuring data accuracy and preventing unauthorized modifications.
Availability: Guaranteeing reliable access to systems and information when needed.
Accountability: Maintaining audit trails and clear ownership of data handling.

Governance & Oversight

Management Assertion – MarketPush leadership confirms controls were designed and operated effectively throughout the audit period.

Security Steering Committee – Meets quarterly to oversee risk management and compliance.

Employee Screening & Training – Background checks, annual security awareness training, and mandatory policy acceptance.

Defined Roles & Responsibilities – CTO, Technology Directors, QA, and Developers maintain accountability for security.

Security and Compliance

Azure Front Door (WAF) – MarketPush employs Azure’s Web Application Firewall to protect its platform from malicious traffic. This control helps prevent common web‑based attacks such as SQL injection and cross‑site scripting, ensuring that client marketplaces remain resilient.
OAuth 2.0 / OpenID Connect (OIDC) – Secure authentication and authorization are enforced through Auth0, leveraging OAuth 2.0 and OIDC standards. This ensures that only verified users gain access to MarketPush systems and client data.
Azure Key Vault – Secrets, API keys, and certificates are centrally managed through Azure Key Vault. This approach reduces the risk of credential exposure and provides secure lifecycle management of cryptographic materials.
Identity & Access Management (IAM) – MarketPush integrates with Azure Active Directory to enforce role‑based access, single sign‑on (SSO), and multi‑factor authentication (MFA).
Data Encryption – All sensitive data is encrypted both at rest and in transit. This guarantees that client information remains protected whether stored in databases or transmitted across networks.
GDPR and PCI Compliance – MarketPush processes personal and payment data in accordance with global privacy and security standards. Compliance with GDPR and PCI DSS ensures that client operations meet international regulatory requirements.
SOC 2 Type II Certification (Issued 10/9/2025) – Independent auditors have confirmed that MarketPush’s security controls are suitably designed and operating effectively. This certification demonstrates MarketPush’s strong compliance posture and commitment to industry best practices.

Technical Security Controls

MarketPush applies layered safeguards to protect client data, validated through its SOC 2 Type II certification.

Identity & Access Management (IAM) Integrated with Azure Active Directory, enforcing role‑based access, MFA, and SSO. Access rights follow least‑privilege principles, with quarterly reviews and strict provisioning/deprovisioning to prevent unauthorized accounts.
Encryption Standards Sensitive data is encrypted both at rest and in transit. TLS 1.2 secures all transmissions, while databases and storage systems use industry‑standard encryption protocols to keep information unreadable to unauthorized parties.
Device & Endpoint Security All devices accessing client data are enrolled in MDM, enforcing strong passwords, anti‑virus protection, and hard drive encryption. This ensures endpoints remain secure and compliant.
Network Security Firewalls and intrusion detection systems block malicious traffic, while logical isolation within the multi‑tenant architecture ensures client data remains segregated. Configurations are reviewed regularly to maintain effectiveness.
Monitoring & Alerting Continuous monitoring with Azure Application Insights provides real‑time visibility.
Vulnerability Management Regular scans using Azure Advanced Security and ZAP identify weaknesses. Issues are prioritized by severity and remediated promptly to reduce exposure.
Secure Development Practices Code changes undergo peer review and independent approval before production. Separate environments for development, testing, and staging prevent untested code from reaching live systems.

Operational Requirements

MarketPush has established operational requirements that ensure its security commitments are consistently met. These requirements align with relevant compliance obligations, applicable laws and regulations, and industry best practices. Key safeguards include:

User Access Reviews Regular reviews of user accounts and permissions ensure that access remains appropriate and aligned with least‑privilege principles.
Employee Access Provisioning and Deprovisioning Standardized processes grant access only to authorized personnel and promptly remove access when roles change or employment ends.
Encryption Standards All sensitive data is encrypted both at rest and in transit, protecting information from unauthorized access or disclosure.
Risk Assessment Standards Formal risk assessments are conducted to identify, evaluate, and mitigate potential threats to system security and compliance.
Change Management Controls Documented procedures govern system changes, requiring testing, approval, and review to maintain stability and security.
Incident Response Plan structured framework defines how MarketPush detects, contains, and resolves security incidents, with post‑incident reviews to strengthen resilience.

Incident Response

Safeguard	Description	Business Impact
Monitoring & Observability	Continuous monitoring via Azure Application Insights, Hasura monitoring logs and custom logs on tables inside audit schema	Enables rapid issue detection, performance optimization, and traceable data operations reducing downtime, improving client trust, and supporting compliance.
Containment & Mitigation	Incidents are categorized by severity. Immediate containment actions (e.g., isolating affected systems, blocking malicious traffic) are executed.	Limits impact and prevents escalation of security events.
Resolution & Recovery	Root cause analysis guides corrective actions. Remediation steps are tracked until closure, with audit trails maintained.	Ensures issues are fully resolved and documented for accountability.
Employee Readiness	Annual training includes phishing simulations, breach handling exercises, and role‑specific response drills.	Ensures staff are prepared to respond effectively to incidents.

Audit Results & Continuous Improvement

Audit Results

MarketPush underwent an independent SOC 2 Type II audit covering the period May 1, 2025 to July 31, 2025. The audit confirmed that MarketPush’s controls were suitably designed and operated effectively throughout the period, providing reasonable assurance that its security commitments and system requirements were achieved.

The auditors validated that MarketPush consistently enforced:
Encryption of all databases at rest and data in transit.
Multi‑factor authentication (MFA), single sign‑on (SSO), and least‑privilege access management.
Regular vulnerability scanning and monitoring of cloud services.
Documented incident response procedures, including containment, mitigation, and communication.
Periodic user access reviews and device compliance through Mobile Device Management (MDM).

Continuous Improvement

MarketPush treats the SOC 2 audit not as a one‑time validation but as part of an ongoing cycle of improvement. Key initiatives include:

Quarterly Compliance Checks: Automated reviews of access, encryption, and monitoring controls to ensure ongoing effectiveness.
Enhanced Documentation Standards: Stricter enforcement of change management and incident response documentation to improve audit readiness.
Accelerated Vulnerability Remediation: Improved workflows and escalation procedures to shorten remediation timelines for critical findings.
Expanded Employee Training: Annual security awareness training supplemented with targeted refreshers on emerging threats.
Vendor Oversight Strengthening: More rigorous reviews of subservice providers to ensure alignment with MarketPush’s security standards.
Business Continuity Testing: Annual disaster recovery exercises to validate readiness and resilience under real‑world scenarios.

Client Assurance and Transparency

Area	Description	Client Benefit
Audit Reports	SOC 2 Type II audit reports are available under NDA, providing independent validation of MarketPush’s controls.	Clients gain confidence from third‑party assurance that security commitments are met.
Security Updates	MarketPush communicates significant changes to policies, procedures, and practices proactively.	Clients stay aligned with evolving standards and can adjust their own practices accordingly.
Shared Responsibility Model	MarketPush secures the platform infrastructure and services; clients manage user access hygiene, endpoint security, and governance.	Clear boundaries ensure both MarketPush and clients contribute to overall data protection.
Transparency in Operations	MarketPush discloses encryption standards, access management, and incident response procedures.	Clients understand how their data is safeguarded and can trust operational integrity.

Closing & Commitment Statement

MarketPush’s SOC 2 Type II audit, conducted for the period May 1, 2025 to July 31, 2025, confirmed that our security controls were suitably designed and operated effectively to achieve our commitments to confidentiality, integrity, availability, and accountability. Independent auditors validated that our platform consistently enforced encryption, access management, monitoring, vulnerability remediation, and incident response procedures, providing reasonable assurance that client data remains secure.

This document reflects the reality of those findings MarketPush’s security posture was independently assessed and confirmed effective for the audit period. Clients can rely on the fact that controls were tested, validated, and documented, with deviations addressed and corrective actions taken.

Contact Information

MarketPush maintains a dedicated Security & Compliance team to support clients with questions, requests, or concerns related to data protection and compliance.

Purpose	Contact Method	Benefit
Incident Reporting & Urgent Concerns	support@marketpush.com	Direct access to MarketPush’s Security & Compliance team for questions about policies, safeguards, and compliance documentation.