Procurement pack

At a glance

• Vendor. Mark Jayson Nation, solo founder and operator of Macro by Mark.
• Headquarters. Las Vegas, Nevada, United States.
• Primary product. Web platform for macroeconomic indicators, models, and labs.
• Status. Production soft launch.
• Primary contact. security@macrobymark.com

Trust posture in one paragraph

The platform runs on Next.js 16 on Vercel, with Supabase Auth + Postgres, Stripe billing, Resend email, Cloudflare Turnstile, and Trigger.dev background jobs. Sign-in supports password, Google OAuth, and first-factor passkeys. MFA via TOTP with scrypt-hashed recovery codes. AAL2 enforcement, account-keyed sign-in throttling, HIBP breached-password refusal, 30-day rolling sessions with an 8-hour admin re-auth window, server-side log sanitization, and an automated session-events anomaly detector are all live. Row-level security in Postgres is the authorization boundary; service-role usage is on a typed allowlist enforced by a CI test.

Operational runbooks

The five runbooks below are maintained alongside the systems they describe. Available on request to buyers under NDA:

• DSAR runbook: GDPR Art. 15 / 17 / 20, CCPA, fulfilment SLA, manual flow when self-service is unavailable.
• Incident response: SEV1-4 matrix, IC role, phases, customer + regulator notification windows, postmortem template.
• Access review: privileged tiers, quarterly cadence, off-boarding ladder (1h / 4h / 24h / 5d), break-glass.
• Subprocessors: vendor list with data classes per row, 30-day pre-announce policy on changes.
• Backup and restore: RPO / RTO targets, PITR, logical-dump fallback status, drill cadence.

Subprocessor list

Active processors: Supabase, Vercel, Upstash Redis, Anthropic, Stripe, Resend, Cloudflare, Google, Trigger.dev, Tiger Cloud / Timescale, Sentry. Material subprocessor changes are emailed to active paid users at least 30 days before they take effect. The full data-class list is maintained on the subprocessor page and summarized on the trust page.

Compliance scope

• GDPR. In scope for any EEA user. The DSAR runbook covers Art. 15 / 17 / 20.
• CCPA / CPRA. In scope for California residents. The platform does not sell personal data; opt-out-of-sale is therefore not applicable.
• SOC 2. Not yet attested. Runbooks are written to the Common Criteria so an attestation engagement can begin once a paying institutional customer requires it.
• HIPAA / FERPA / GLBA. Not in scope; the platform does not process protected health, education, or financial PII in their regulated senses.

Vulnerability disclosure

Email security@macrobymark.com. Acknowledgement within five business days. No bug bounty today; coordinated disclosure welcome and credited.

In scope: anything in the platform code or configuration affecting confidentiality, integrity, or availability of user data. Out of scope: social-engineering attempts against the operator, denial-of-service tests, automated scanners producing volumetric load.

Contract paths

• DPA. Review path available on request. Custom redlines considered for institutional engagements.
• MSA / Order Form. Subscription via Stripe today; annual invoiced contracts can be reviewed for institutional customers.
• Insurance. Evidence and certificate requests are handled during institutional contract review when required.

What this pack is not

• Not a SOC 2 report. Path-to-SOC-2 timeline available on request.
• Not a full control matrix; the runbooks are the source of truth.
• Not marketing copy. Every claim maps to a code path, a runbook, or a vendor agreement.