Architecture, not policy.
Most security postures are built on policy — rules, reviews, quarterly audits, a trust office with a team. Mulholland treats security as architecture. Every deployment runs in its own isolated environment: dedicated compute, dedicated storage, dedicated network path. No shared anything between clients. What we promise below we can't physically violate, because the systems are not connected to each other.
SOC 2 Type II
We meet SOC 2 requirements to ensure secure and compliant management of data across all our systems.
Enterprise isolation.
Per-client infrastructure
Dedicated VM, database, and tunnel per client. No shared compute or storage between organizations.
Zero open ports
All traffic flows through Cloudflare Tunnels. No HTTP/HTTPS ports open on VMs. SSH only via IAP.
Encrypted at rest
OAuth tokens encrypted with AES-256-GCM. SSL on all database connections. Daily backups with PITR.
Sandboxed execution
Python ML models run in rootless containers. No network access, read-only filesystem, 30-second timeout.
Operational controls.
JWT-authenticated reads under row-level security. mTLS at the edge. Secret material in Google Secret Manager. Per-tenant isolation by GCP project. We disclose material security incidents to affected customers without undue delay.
Sub-processors.
We share information only with sub-processors who help us run the Service: Google Cloud (compute, storage, secrets), Cloudflare (network and access), and Anthropic (the underlying model behind Marzy). We don't share customer data with advertisers or data brokers.
Contact.
Security questions or to report a vulnerability: security@mulholland.inc.