Background

To easily help answer any common questions about Marloo, our background and our privacy policies.

Email us any time at team@gomarloo.com

Quick links

Marloo is certified SOC 2 Compliant

We take your data seriously — that’s why we’re proud to be SOC 2 compliant, the gold standard for security in the SaaS industry.

SOC 2 is a rigorous, independent audit that verifies we have the proper systems and controls in place to keep your data secure, confidential, and always available.

Whether you’re a small team or an enterprise company, you can trust that your information is handled with the same level of care and protection required by some of the world’s most security-conscious organizations.

You can download our official Attestation Status document here.
View Marloo trust center

Frequently asked quesitons

How do you store and use the information provided from client meetings (transcripts / audio / images)?
  • All recordings, transcripts, summaries are encrypted and stored on Amazon Web Services in the Sydney region. We use third party providers (more below) to process these inputs. 
  • No customer data is ever used to train or improve third party AI models. Your data remains isolated to your environment.
What cyber-security arrangements do you have in place to protect our client information?
  • All data in storage is protected with AES-256 encryption; data in transit uses TLS 1.3.
  • Row-Level Security is enforced on every database table.
  • API requests are authenticated with JWTs signed by our Auth service.
  • Access to Supabase and other production systems is restricted to Marloo staff through role-based permissions and mandatory multi-factor authentication.
  • Our external audit confirmed compliance with SOC 2 Type 1; the Type 2 audit is in progress.
  • We operate a GDPR-aligned privacy programme and honour deletion requests at any time (we are live in UK, AU, NZ)
  • Additional technical and organisational measures are published in our Trust Centre.
Where is all client data stored and processed, including recordings, transcripts and summaries?
  • The database is in AWS Sydney.
  • AssemblyAI (transcription), Recall (meeting bots) and Anthropic (LLM) process data in the United States. 
    • AssemblyAI: Data deleted once received by Marloo
    • Recall: Data deleted after 7 days (call recorded on US-hosted infrastructure)
    • Anthropic: Zero data retention (summaries are generated by Anthropic’s LLM service in the United States. We have an enterprise agreement with Anthropic for zero data retention and priority throughput, so prompts are discarded once the response is returned)
  • Transient email and edge traffic may pass through Cloudflare or Amazon SES points of presence in other regions; no customer data is stored there.
Do you have an information-security policy or documentation outlining encryption standards, access controls and certifications?

Yes. Annex 2 of the Data Processing Agreement, together with our Trust Centre, sets out encryption standards, access controls, audit logging and incident-response procedures. Key points are AES-256 at rest, TLS 1.3 in transit, enforced MFA, twelve-month log retention and SOC 2 Type 1 accreditation with Type 2 in progress.

What are your data-retention practices, especially for transcripts and recordings? Can clients configure deletion policies?
  • Data remains available while your account is active. Users tend to re-visit meetings and recordings frequently. 
  • Clients can configure deletion in several ways:
    • Meeting bot recordings are automatically deleted within seven days
    • Webapp recordings are stored unless deleted
    • Transcripts are stored unless deleted
    • Summaries are stored unless deleted
  • The above is a short term position, and we are about to launch deletion control preferences. 
  • When an account ends you may instruct us to delete or export all data. We then delete working copies and keep one encrypted legal-backup copy for up to seven years unless you request a shorter hold.
  • Daily encrypted backups are taken and stored in the same AWS Sydney region.
  • You can request earlier deletion of specific items by emailing support@gomarloo.com.
Is any client data used to train, fine-tune or improve third party AI models?

No.

Do you have processes in place to manage bias and quality control in AI-generated content?

Yes, we manage quality control through both internal testing with our own test data. We have never had a complaint or issue with the quality or bias of our summaries. 

If there are any issues, we will act quickly. Our average Intercom response time is <10 minutes.

Who retains ownership of the data and content generated through Marloo? Are there any rights retained by Marloo to access or reuse that data?

All templates, transcripts, summaries and file notes belong to the customer. Marloo retains only the limited right to process that data to deliver the service and does not reuse or disclose customer content for any other purpose.

Privacy is paramount

We designed Marloo with privacy and security at its core. From the latest encryption standards to robust compliance measures, your data is always protected.

Advanced data controls

Opt to automatically delete recordings or transcripts whenever you choose, ensuring seamless compliance with your needs.

SOC 2 & GDPR compliant from day one

We’ve been SOC 2 and GDPR Compliant before anyone used Marloo, which means we’ve had processes in place to protect your data since day one.

Your data, your choice

We have regional data centers to ensure your data stays under your control.

Marloo Trust Center

We're wrapping Marloo in best-in-class privacy and security standards. Visit our Trust Center to learn more.