Identity controls
Manager and applicant access
Security trust markers summarize DPA readiness, access boundaries, and operational security posture.
Contract-stage DPA terms are reviewed separately from this public overview.
DPA readiness
Public pages are separated from private application, file, billing, and note records.
Access boundaries
Security controls cover account access, uploads, headers, and operational audit posture.
Operational security
Security and trust for The Market Manager.
A practical overview of how the platform protects account access, private application records, uploaded files, operational data, and public-market boundaries.
Review controls moves to the security controls section on this page without leaving the security overview.
Review DPA posture moves to the data processing addendum section without leaving this security overview.
Review controls Review DPA postureSecurity posture summary
Dashboard preview and security highlights describing identity, private-record, and audit boundaries.
Security posture highlights explain identity controls, private-record boundaries, and audit posture.
Account identity and scoped routes help separate manager and applicant access.
Private operational records are not exposed through public market listings.
Private records
Submission, file, billing, and note boundaries
Operational records support review without turning this page into a certification claim.
Audit posture
Sensitive owner and operational activity records
Security policy sections explain controls, DPA posture, access boundaries, subprocessors, and incident response.
Security and Trust
This page is a sales and customer-confidence anchor for security review. It describes the platform posture without replacing a signed contract, final DPA, or customer-specific security questionnaire.
Section 1
Security controls
The platform supports authenticated manager accounts, applicant portal access, MFA lifecycle controls, conservative security headers, upload safety checks, tenant-scoped application data, mobile token lifecycle controls, and audit records for sensitive owner and operational activity.
Access to private records is designed around account identity, company scope, and route-level authorization. Public market pages are separate from private application submissions, internal reviews, permit files, payment records, and team notes.
Section 2
Data processing addendum
A Data processing addendum should define customer data roles, processing instructions, subprocessors, confidentiality, deletion or return of data, security measures, assistance obligations, and breach notification responsibilities.
This public page provides the baseline security and privacy posture for sales review. Customer-specific DPA execution, negotiated terms, and legal approvals remain contract-stage work and are not automated by this page.
Section 3
Access boundaries
Public visitors can see published market information and public application availability. They cannot use public listing access to view private applicant answers, uploaded permit documents, billing records, internal notes, customer support history, or manager-only dashboards.
Manager and applicant access flows are separated from public discovery pages. Customer teams remain responsible for granting appropriate account access and keeping their published market information accurate.
Section 4
Subprocessors
The platform may use third-party providers for hosting, authentication support, file storage, email delivery, payments, monitoring, and other operational needs. These providers process data only as needed to deliver the service.
A finalized customer DPA should identify active subprocessors and the notice process for material subprocessor changes.
Section 5
Incident response
Security incidents should be triaged by severity, investigated with available audit and operational records, contained, remediated, and communicated according to contractual and legal obligations.
Customer-specific notification windows, legal escalation, and supporting records are handled through the applicable agreement and incident-response process.
This note clarifies that public market visibility does not grant access to protected submissions, account records, files, billing details, or internal notes.
Need the policy boundary?
Public listing visibility, application availability, and private record access are separate. A visitor may be able to see a market page without being able to view any protected submission or account information.