Certification status: Margin Shift and SOC247 are not currently SOC 2 Type 2 certified. Our internal SOC247 control plane maintains SOC 2, ISO 27001, and NIST CSF readiness mappings, evidence ledgers, access-review queues, vendor-review registers, and audit-package exports to keep the operating environment audit-ready.
Governance and ownership
Security responsibility is assigned to Charles Blackburn, supported by SOC247 as the internal continuous-control and monitoring layer. Security procedures are reviewed as the operating environment changes and when new integrations or vendor-risk decisions are introduced.
Access control
- Role-based access is used for systems, data stores, infrastructure, SaaS tools, and automation services.
- Administrative and production access is limited to authorized operators and reviewed periodically.
- Access changes, privileged actions, and vendor-risk decisions are captured in work orders or audit-ready records where practical.
- 1Password is used for credential storage, vault segmentation, and service-account separation.
Authentication
Critical systems use multi-factor authentication. Where available, we prefer phishing-resistant controls such as passkeys, biometrics, hardware-backed authenticators, or platform authenticators. We avoid third-party SSO for vendor signups unless a credential record explicitly documents that SSO is the correct login method.
Encryption and network protection
- Public web traffic uses HTTPS/TLS.
- Private services are kept behind Tailscale or equivalent private-network controls unless public exposure is specifically approved.
- Sensitive data is encrypted at rest where supported by the system of record, cloud platform, database, or storage layer.
- Secrets are not stored in public web content, handoff notes, source control, or browser workers.
Financial data
Financial data connections are used only for authorized workflow automation, reporting, implementation, testing, or advisory purposes. Access is scoped to the requested use case. Collection requires user or client consent, and retention follows the limits described in the Privacy Policy.
Vulnerability and patch management
SOC247 monitors infrastructure and security signals, creates work orders for gaps, and supports vulnerability, patch, and end-of-life software review. Remediation is approval-gated unless an explicit pre-approved response policy exists.
Monitoring and incident response
SOC247 collects control evidence, monitors selected infrastructure and SaaS control planes, and maintains work-order history. Security findings are triaged, assigned, acknowledged, resolved, suppressed, or reopened with evidence preserved for later review.
Vendor and third-party risk
Critical vendors such as identity, secrets management, private networking, infrastructure, and AI tooling are tracked in a vendor-risk register. New integrations are reviewed for data access, authentication method, retention behavior, and operational risk before production use.
Data retention and deletion
Data is retained only for active engagements, authorized workflows, security, legal, accounting, and business-continuity purposes. Requests for deletion or correction can be sent to hello@marginshift.tech.
Contact
Security and privacy questions can be sent to hello@marginshift.tech.
Last updated: June 2026