Security & Privacy

How marql handles your business data

Read-only access to your systems. Data stored in the EU on AWS. Encrypted in transit and at rest. Your data is never written back to your POS or sold to third parties.

For compliance documentation, DPA agreements, or specific security requirements, contact [email protected].

Core security principles

Read-only access

marql connects to your POS, accounting, and ERP systems with read-only credentials. We never write back to your source systems, modify your records, or change any configuration in your existing stack.

Encrypted in transit and at rest

All data in transit between your systems and marql is encrypted using TLS. Data stored in our platform is encrypted at rest using industry-standard encryption.

EU data storage

Your data is stored on AWS infrastructure in the EU (Stockholm, eu-north-1 region). We do not transfer your business data outside the European Union.

Isolated per organisation

Each organisation's data is logically isolated. Your data is not accessible to other organisations on the platform. Enterprise plans include a dedicated database option for physical isolation.

You control access

Role-based access means you decide who in your organisation sees which data. Owners see all stores; store managers see only their location. Access is configured once and enforced automatically.

No data sold, no ad tracking

We do not sell your data to third parties and we do not use advertising or tracking cookies. Session cookies are used strictly for authentication.

What "read-only" means in practice

When marql connects to your POS, accounting, or ERP system, the connection uses read-only credentials — an API key or export access that grants viewing permission only. marql has no ability to:

  • Create, update, or delete transactions in your POS
  • Modify invoices, records, or entries in your accounting system
  • Change prices, products, or any configuration in connected systems
  • Access data beyond what is needed to produce operational views

Your source systems — POS, accounting, ERP — continue to operate exactly as before. marql reads from them; nothing else changes. If you disconnect a source at any time, the read access is revoked immediately.

How your data flows through the platform

For transparency, here is what happens to your data at each stage of the marql pipeline:

Stage
What happens
Where it's stored
Connection
Read-only API key or scheduled CSV export from your POS / accounting system
Credentials stored encrypted, never logged in plain text
Sync
Transaction records, invoices, and metric data read from source systems
Normalised data stored in your organisation's isolated data store on AWS EU
Briefing
marql processes the synced data to produce daily briefings, anomaly alerts, and AI answers
Processed views stored in AWS EU; source raw data cached per your plan's retention window
Access
Users access briefings and dashboards through the platform
Sessions use TLS; role-based access limits what each user can view

For a full technical diagram of the data flow from your POS to the briefing, see the data flow page.

Infrastructure and hosting

marql runs on AWS infrastructure in the EU (Stockholm, eu-north-1 region). Your business data is not transferred outside the European Union. We use Railway and AWS for hosting and do not operate our own physical data centres.

Cloud provider

AWS (Amazon Web Services)

Data region

EU — Stockholm (eu-north-1)

Encryption in transit

TLS (all connections)

Encryption at rest

Industry-standard, enabled by default

Data transfers outside EU

None for business data

Infrastructure provider (hosting)

Railway / AWS, data stored in EU

Enterprise: dedicated database

Standard plans use logical data isolation — your organisation's data is separated from others at the application and database level. For networks with specific data governance requirements, the Enterprise plan includes a dedicated database or isolated infrastructure option, where your data is physically separate from other organisations' data.

Enterprise plans also include SLA agreements and custom data retention terms. For Enterprise security requirements, contact [email protected] or see the Enterprise plan details.

GDPR and your data rights

marql operates under GDPR for organisations and users in the European Economic Area. You have the right to access, correct, or delete your personal data at any time.

  • Request a copy of the personal data we hold about you
  • Request correction of inaccurate personal data
  • Request deletion of your account and associated data
  • Object to processing or request restriction
  • Request a Data Processing Agreement (DPA) for your organisation

To exercise any of these rights or to request a DPA, contact [email protected]. Full details are in the Privacy Policy.

Third-party services

We use a limited set of sub-processors. The following third-party services may handle data as part of the marql platform:

Service
Purpose
AWS / Railway
Infrastructure hosting — data stored in EU (Stockholm)
Google / Microsoft OAuth
Authentication only — name and email received
Sentry
Error monitoring — anonymised stack traces only
Google Analytics 4
Website analytics — only with explicit consent
Calendly, Inc.
Demo scheduling — name and email for meeting booking only

We do not sell personal data or business data to any third party. We do not use advertising networks.

Security questions

DPA, compliance documentation, or specific requirements?

For Data Processing Agreements, penetration test reports, security questionnaires, or enterprise compliance discussions, contact our privacy team directly.

Frequently asked questions

Data security and privacy