We’re an early-stage company and we say so plainly: we hold ourselves to enterprise-grade engineering discipline today, and we’re on a path to enterprise-grade attestation (SOC 2) as we grow. What follows is an honest description of where we are — not a certification.

Your records are tamper-evident — and provable without us

  • Every compliance record is written to an append-only, cryptographically chained ledger. Any alteration after the fact is detectable.
  • The integrity proof is unkeyed — it survives the loss or compromise of any of our secrets. Nobody, including us, can silently rewrite a sealed record and have it still verify.
  • You can verify your records offline, without Earmark. Every export ships with a standalone verifier you run in your own browser — so your compliance evidence keeps working even if you stop being a customer. Your proof does not depend on our continued existence.
  • We’re precise about what this means: records are tamper-evident, not tamper-proof, and integrity is not the same as truth-at-entry. We never overclaim it.

Data protection

  • Encryption in transit: all traffic to and between our systems is over TLS.
  • Encryption at rest: the primary datastore is encrypted at rest, and sensitive third-party credentials are additionally encrypted at the application layer, enforced as a database invariant.
  • Tenant isolation: every customer’s data is strictly scoped to that customer. Isolation is enforced structurally and asserted by automated checks on every code change — not left to convention. Cross-tenant links are rejected at write time.
  • Data minimization: we hold regulated business records (premises identifiers, license and accreditation numbers, premises addresses, animal records). We generally do not hold sensitive consumer data such as SSNs, financial account numbers, or biometrics.

Data ethics

  • We never sell your data, and we never hand your records to a third party for that party’s own use.
  • We never use your data to score you adversely or to benchmark you against a competitor.
  • Sharing happens only when you grant it — scoped to what you chose, revocable, and itself on the record. You can see exactly what a counterparty would see before you share it.

Access & authentication

  • Authentication is handled by a specialized identity provider (Clerk); multi-factor authentication is supported.
  • Role-based access control with least-privilege scoping — the application runs against a database role that cannot alter or delete sealed records.
  • Segregation of duties is a first-class control: the system detects and surfaces conflicting-role situations rather than silently permitting them.

Reliability & continuity

  • Point-in-time recovery with a measured, rehearsed restore procedure; after any restore, the record chain is re-verified by two independent checks before it’s trusted.
  • Our disaster-recovery procedure is exercised on a schedule in automation, not just documented.
  • Where a supporting service degrades, the system is designed to fail safe — a rate-limiter outage never takes the application down, and because compliance decisions are computed by deterministic rules (not AI), an AI outage never affects your system of record.

AI & your data

  • AI in Earmark assists — it surfaces and explains. It never makes the compliance determination; those are deterministic, rule-based, and human-reviewable. AI never issues a regulated document on its own.
  • Our sole AI provider operates under no-training contractual terms. We are actively closing a zero-data-retention arrangement and tokenizing personal data end-to-end for the AI surfaces; this page will reflect that as it lands.

Sub-processors & data location

  • All customer data is stored and processed in the United States.
  • We maintain a current list of the third-party services that support Earmark and the data each receives — available on request.

Change management

Every change ships through peer and automated review under branch protection, with an extensive suite of automated correctness and security checks that must pass before merge.

Responsible disclosure

Found a security issue? Email us. We’ll acknowledge and work with you in good faith. Please give us a reasonable window before public disclosure.

Where we’re headed

We publish our roadmap because a maturing security posture is more credible than a static claim. On our near-term list: SOC 2 readiness, an off-platform backup copy, formal MFA enforcement policy, a documented key-succession plan, and a third-party penetration test as we scale. We’d rather tell you what’s next than pretend it’s already done.