We hold ourselves to the standard we sell.

Multi-factor authentication is enforced on every account that touches client work or production systems. Access follows least privilege: credentials are scoped per system, never shared, and revoked promptly when no longer needed.

All data is encrypted in transit (TLS) and at rest with our infrastructure providers. Production secrets live in managed secret stores — never in code, repositories, or chat.

We collect the minimum needed for the engagement, keep it within the engagement's agreed systems, and delete it on completion unless you ask us to retain it. Client material is never used to market our services without written permission — our public case studies are anonymised.

Where an engagement involves personal data, we act as a processor under a data processing agreement and follow your retention and residency requirements.

We run a deliberately small supplier list and review it regularly — the same third-party scrutiny we provide as a service. Core providers: Vercel (hosting), Supabase (data infrastructure), Resend (email), GitHub (source control), Stripe (payments where applicable).

Builds inherit hardened defaults: strict Content Security Policies, signed webhooks, rate limiting, input validation, and audit trails. Security testing of client systems happens only with written authorisation and an agreed scope — and we expect the same of anyone testing ours.

Found a security issue on a Marymia property? We want to hear about it. Email hello@marymia.co.uk with the subject "Security" — include steps to reproduce and, please, no testing beyond what is needed to demonstrate the issue. We acknowledge reports within two working days, keep you informed, and credit researchers who wish to be named. We do not pursue good-faith research conducted within these guidelines.

Want our security practices in more depth for a vendor review? Ask — answering security questionnaires is literally one of our services. hello@marymia.co.uk