Security
How we protect your data
We treat your business documents, customer lists, and content the same way we'd want ours treated. Here's exactly what we do.
Seven things we get right
No marketing fluff. These are the controls in place today, in language a non-engineer can verify.
Encrypted at rest and in transit
All your data is encrypted when stored and whenever it travels between our systems. Sensitive fields like API keys are also encrypted at the application layer.
Strict access controls
Every database query is scoped to your tenant. Internal staff need a written reason and time-boxed approval to see your data, and every action is logged.
Audit trails for every change
Every administrative action, login, and data change is recorded in an immutable audit log. We keep these for at least seven years for compliance.
Plain-English data export and deletion
You can export everything we know about your account at any time, in a single ZIP, from your settings. You can also delete your account and we will purge your data on a documented schedule.
Hosted in Canada on Oracle Cloud Infrastructure
Your business data lives on OCI servers in Canadian data centres. We do not move it offshore for processing.
Two-factor authentication available to everyone
All customer accounts can enable two-factor authentication. Admin access requires it. You can also use a passkey on supported devices.
Bring-your-own AI keys
If you bring your own AI provider key, your prompts and content go directly between your account and that provider. We route the request but do not store the response payload past what you save.
SOC 2 readiness
We have built EasyMark to satisfy the SOC 2 Trust Services Criteria: security, availability, confidentiality, processing integrity, and privacy. The controls described on this page are real and in production today.
We are working with an external auditor on a Type I report. Until that report is signed, we will not claim certification. We can share our Information Security Policy and our subprocessor list on request.
Important: SOC 2 readiness is not the same as SOC 2 certification. We will update this page the day the report is signed.
Data sovereignty
BYO-AI keeps your prompts in your account
Every paid plan supports bringing your own API key for Claude, OpenAI, or Gemini. When you do, your prompts and AI outputs flow through your provider account, not ours. We ship the request, the AI provider answers you directly, and we never persist the raw response. This matters if your industry requires data residency or if you simply want a clean separation.
Found a security issue?
We treat responsible disclosure seriously. Email us a description (and a way to reproduce, if possible) and we will respond within one business day. Our security contact is security@easymark.ca.
Try it for yourself
Start a free 7-day trial. No credit card. Cancel any time.