12
min read
At GoMarble, security is paramount in everything we do. Our Model Context Protocol (MCP) Server implementation follows industry best practices and enterprise-grade security standards to ensure your data remains protected at all times. This document outlines our comprehensive security framework, compliance certifications, and transparent data management practices that give you complete confidence in our platform.
Key Security Highlights:
Full compliance with OAuth 2.1 and MCP Protocol authorization standards
Verified business status with Google, Meta, and Shopify
SOC 2 and ISO 27001 certification in progress
Complete user control over credential management
Transparent data handling with instant revocation capabilities
OAuth and MCP Protocol Security Framework
Compliance with MCP Authorization Guidelines
GoMarble's MCP Server strictly adheres to the Model Context Protocol's OAuth authorization specification, implementing state-of-the-art security measures:
OAuth 2.1 Implementation:
Full compliance with OAuth 2.1 security best practices as defined in the MCP specification
Support for both Authorization Code and Client Credentials grant types based on use case requirements
Implementation of PKCE (Proof Key for Code Exchange) for authorization code protection against interception attacks
Dynamic Client Registration Protocol (RFC7591) support for seamless integration
Token Security:
Short-lived access tokens with automatic refresh token rotation for public clients
Secure token storage following OAuth best practices to prevent token theft
HTTPS-only communication for all authorization server endpoints
Proper validation of all access tokens as per OAuth 2.1 resource server requirements
Authorization Server Discovery:
Implementation of OAuth 2.0 Protected Resource Metadata (RFC9728) for secure authorization server location
Proper WWW-Authenticate header handling for HTTP 401 responses
Support for OAuth 2.0 Authorization Server Metadata (RFC8414) for endpoint discovery
Platform-Specific Verification and Compliance
Google Cloud Platform Verification
GoMarble maintains verified status with Google Cloud Platform, ensuring enterprise-grade security and compliance:
App Verification Status:
Complete OAuth app verification through Google's rigorous security assessment process
Verified domain ownership through Google Search Console for all authorized domains
Brand verification completed, providing users with clear app identity and data policies
Security Requirements Met:
Privacy policy hosted on verified domains and linked from OAuth consent screen
Production-grade OAuth clients with no test environments or debug configurations
Comprehensive app homepage describing functionality and hosting privacy policy
Compliance with Google's OAuth 2.0 policies and Google API Services User Data Policy
Reference: Google OAuth App Verification Requirements
Meta/Facebook Platform Verification
Our integration with Meta platforms follows strict business verification protocols:
Business Verification:
Completed Meta business verification process with official documentation
Full compliance with Facebook's business verification requirements including legal business documentation
Adherence to Meta's data handling and privacy requirements for business applications
Reference: Facebook Access Verification
Shopify Partner Program Compliance
GoMarble meets all Shopify App Store requirements and best practices:
App Store Requirements:
Full compliance with Shopify's app requirements checklist including data privacy and security standards
Implementation of secure app proxy authentication for request verification
Proper handling of protected customer data with declared uses subject to Shopify review
Security Implementation:
Secure storage and processing of Shopify data with ability to erase data upon request
Use of supported APIs only, avoiding deprecated functionality
Compliance with Shopify's data protection requirements and review processes
Reference: Shopify App Requirements Checklist
Verified Business Status
Multi-Platform Verification
GoMarble has achieved verified business status across all major integration platforms:
✅ Google Cloud Platform - Verified business with completed brand verification
✅ Meta/Facebook - Business verification completed with official documentation
✅ Shopify - Partner verification and app store compliance achieved
This multi-platform verification demonstrates our commitment to transparency and provides additional assurance of our legitimacy as a trusted business partner.
Transparent Credential Management
User-Controlled Access Management
We believe in putting you in complete control of your data and integrations:
GoMarble Integration Dashboard:
Full Transparency: Access your complete integration management dashboard at https://apps.gomarble.ai/setup/integrations
Instant Control: Revoke, update, or modify access permissions for any integration at any time
Automatic Cleanup: When you revoke access, we immediately delete all stored credentials from our systems
Real-Time Permissions:
View all active integrations and their permission scopes
Understand exactly what data each integration can access
Modify permissions without re-authentication where supported
Platform-Native Revocation
In addition to our transparent dashboard, you maintain full control through each platform's native settings:
Meta/Facebook Access Control:
Manage app permissions directly: Meta Connected Experiences
Revoke access instantly through your Facebook security settings
View detailed access logs and permission history
Google Account Management:
Control app access through your Google Account settings
Review and revoke permissions at any time
Monitor access patterns and security events
Shopify App Management:
Manage app permissions through your Shopify admin panel
Uninstall and reinstall apps as needed
Control data sharing preferences per application
Enterprise Security Certifications
SOC 2 Compliance (In Progress)
GoMarble is actively pursuing SOC 2 Type II certification, demonstrating our commitment to:
Security: Protecting system resources against unauthorized access
Availability: Ensuring systems remain operational and accessible
Processing Integrity: Maintaining accurate and complete data processing
Confidentiality: Protecting sensitive information from unauthorized disclosure
Privacy: Meeting privacy commitments and requirements
ISO 27001 Certification (In Progress)
We are implementing ISO 27001 Information Security Management System (ISMS) standards covering:
Risk Management: Comprehensive assessment and mitigation of security risks
Access Control: Strict user access management and authentication protocols
Incident Management: Robust procedures for detecting and responding to security incidents
Business Continuity: Ensuring service availability and data protection during disruptions
Continuous Improvement: Regular security audits and process enhancements
Secure Architecture and Development Practices
Infrastructure Security
Cloud-First Architecture:
Multi-region deployment with automated failover capabilities
End-to-end encryption for data in transit and at rest
Network segmentation and zero-trust security model
Regular penetration testing and vulnerability assessments
Data Protection:
AES-256 encryption for all stored credentials and sensitive data
TLS 1.3 for all client-server communications
Development Security
Secure Development Lifecycle (SDLC):
Security-by-design principles in all development phases
Regular code reviews with security focus
API Security:
Rate limiting and DDoS protection
Input validation and sanitization
API versioning with secure deprecation policies
Comprehensive logging and monitoring
Authentication and Authorization:
Role-based access control (RBAC) with principle of least privilege
Regular access reviews and automated deprovisioning
Session management with secure token handling
Monitoring and Incident Response
24/7 Security Monitoring:
Real-time threat detection and alerting
Security Information and Event Management (SIEM) integration
Automated response to common security events
Regular security metrics reporting and analysis
Incident Response:
Dedicated security incident response team
Defined escalation procedures and communication protocols
Regular incident response drills and training
Post-incident analysis and improvement processes
Data Privacy and Compliance
Privacy by Design
Data Minimization:
Collection of only necessary data for service functionality
Regular data retention policy reviews and enforcement
Consent Management:
Clear consent mechanisms for all data collection
Granular consent options for different data types
Easy consent withdrawal processes
Regular consent renewal and validation
Continuous Security Improvement
Regular Security Assessments
Internal Audits:
Quarterly security control assessments
Annual comprehensive security reviews
Continuous compliance monitoring
Employee security training and awareness programs
Future Security Enhancements
Roadmap Initiatives:
Zero-trust architecture implementation
Advanced threat detection using AI/ML
Enhanced encryption and key management
Expanded compliance certifications (FedRAMP, HITRUST)
Contact and Support
For security-related questions or concerns, please contact our security team:
Security Email: admin@gomarble.ai
General Support: support@gomarble.ai
Integration Dashboard: https://apps.gomarble.ai/setup/integrations
Conclusion
GoMarble's comprehensive security framework ensures that your data and integrations remain secure while providing you with complete transparency and control. Our commitment to following industry best practices, obtaining relevant certifications, and maintaining verified status across all major platforms demonstrates our dedication to earning and maintaining your trust.
Through our transparent credential management system, rigorous security practices, and ongoing compliance efforts, we provide enterprise-grade security that scales with your business needs while keeping your data protected at all times.
Last Updated: July 18, 2025
Document Version: 1.0