Executive Summary
Marloo is SOC 2 Type 2 certified and holds a "Very Good" CARR cybersecurity rating.
Your data is never used to train AI models. All AI providers operate under zero data retention agreements.
All data is stored on AWS Sydney with AES-256 encryption at rest and TLS 1.3 in transit.
Full security documentation, certifications, and the Data Processing Agreement are available at trust.gomarloo.com.
Key Resources
Trust Centre: trust.gomarloo.com
Privacy Policy: gomarloo.com/privacy-policy
Terms of Service: gomarloo.com/terms
Data Processing Agreement: Schedule 1 to the Terms of Service
Sub-processor List: trust.gomarloo.com/subprocessors
Certifications and Assessments
Marloo holds the following certifications and independent assessments:
SOC 2 Type 2: Certified, audited by AssuranceLab. The trust report and certificate are publicly available at trust.gomarloo.com.
CARR Cybersecurity Assessment: Completed by Aphore, rated "Very Good". This is the de facto Australian standard for assessing cybersecurity risk with third-party suppliers.
Annual Penetration Testing: Conducted by independent third-party security firms.
Continuous Compliance: Monitored via Vanta with ongoing validation of security controls.
Data Storage and Encryption
All recordings, transcripts, and summaries are encrypted and stored on Amazon Web Services in the Sydney region (ap-southeast-2).
Encryption at rest: AES-256
Encryption in transit: TLS 1.3
Database security: Row-level security is enforced on every database table, ensuring complete data isolation between customers.
Access controls: API requests are authenticated with signed tokens. Access to production systems is restricted to Marloo staff through role-based permissions and mandatory multi-factor authentication.
Endpoint protection: All devices are protected with endpoint detection and response (EDR).
AI and Data Privacy
Marloo uses a variety of AI models. Your data is never used to train AI models, and we operate under zero data retention agreements with all AI providers.
All AI providers operate under enterprise agreements with contractual zero data retention guarantees. Prompts are discarded once the response is returned. This commitment is documented across our Terms of Service, DPA, and Privacy Policy.
Data Processing
Processing by transcription and AI providers takes place in the United States, but no customer data is retained by any of these providers after processing is complete.
A full and current list of sub-processors is maintained at trust.gomarloo.com/subprocessors.
Data Ownership
All templates, transcripts, summaries, and file notes belong to you. Marloo retains only the limited right to process your data to deliver the service and does not reuse or disclose customer content for any other purpose.
Data Retention
Meeting bot recordings: Deleted immediately after processing by our recording provider.
Webapp recordings: Stored unless you delete them.
Transcripts and summaries: Stored unless you delete them.
Custom retention policies: Contact support to configure a custom retention period for audio recordings and meeting transcripts.
Backups: Daily encrypted backups are stored in the AWS Sydney region.
You can delete specific items at any time, or request bulk deletion by emailing [email protected].
Audit Trails
Marloo maintains audit logs covering transcript generation, AI summary creation, and user actions within the platform. Security-related logs are retained for 12 months. Transcript audit logs are retained indefinitely for compliance purposes.
AI Quality Control
Marloo's AI processing is grounded in the actual meeting transcript. The model generates summaries and file notes directly from the verbatim conversation content rather than from general knowledge. You retain full editorial control and are expected to review outputs before use, as outlined in our Terms of Service (clause 9).
Compliance
Marloo's Terms of Service, Data Processing Agreement, and Privacy Policy together meet the requirements of the Australian Privacy Act and the New Zealand Privacy Act (2020). Marloo operates a GDPR-aligned privacy programme and honours deletion requests at any time.
Data Protection Contact
For data protection and compliance enquiries, contact [email protected].
Frequently Asked Questions
Can I delete recordings?
Yes. You can delete recordings at any time from within Marloo. Once deleted, the recording is permanently removed.
How long are recordings stored?
Recordings are stored indefinitely unless you choose to delete them. If you need a specific retention policy for your organisation, contact support to configure a custom retention period.
Is there a Data Processing Agreement (DPA)?
Yes. The DPA is Schedule 1 to the Terms of Service, available at gomarloo.com/terms. Full details are also at trust.gomarloo.com. Marloo is the Data Processor, and your firm is the Data Controller.
Is any data hosted or processed outside Australia?
Processing by transcription and AI providers takes place in the United States, but no customer data is retained by any of these providers after processing is complete. Your primary database is in AWS Sydney.
My director is concerned about data access. What should I tell them?
Your data never trains AI models. Marloo uses role-based access controls so you can manage who sees what within your organisation. Each adviser's meeting data is separate from other advisers. Full details on our security controls and certifications are available at trust.gomarloo.com.
Who owns the data generated through Marloo?
You do. All templates, transcripts, summaries, and file notes belong to the customer. Marloo retains only the limited right to process your data to deliver the service.
Are there audit trails for generated content?
Yes. Marloo maintains audit logs covering transcript generation, AI summary creation, and user actions. These logs are available for compliance purposes.
Who is responsible for data protection at Marloo?
Hardy Michel (Co-founder) is Marloo's designated Data Protection Officer. For enquiries, contact [email protected].