Current status
Not SOC 2 attested today
Macro by Mark does not have a SOC 2 Type I or Type II report today. No public page should be read as a completed attestation, auditor opinion, or control guarantee.
The current posture is a path-to-attestation: runbooks and control notes are mapped toward common SOC 2 Trust Services Criteria so an engagement can begin when an institutional buyer or commercial requirement justifies it.
Mapped controls
What is documented now
Existing internal runbooks cover DSAR handling, incident response, privileged access review, subprocessors, backup and restore, and procurement review. The public Trust page and Procurement Pack summarize the buyer-facing posture.
Public claims should stay tied to those runbooks, source code, and vendor records. They should not imply an auditor has tested or accepted the controls.
Open gaps
What remains before attestation
Known pre-attestation gaps include:
- Auditor engagement and formal scoping are not started.
- Owner-reviewed evidence logs and durable evidence archives need to be maintained over the audit period.
- Control-owner sign-offs, vendor evidence collection, and change-management records need a repeatable cadence.
- Buyer-specific DPA, MSA, insurance, and questionnaire requests remain review paths, not public guarantees.
Buyer review
How buyers can ask
Security and procurement teams can request the current SOC 2 readiness notes through security@macrobymark.com. Contract-specific requests should go to legal@macrobymark.com.
The current review path does not include a public SOC 2 report, bridge letter, or auditor attestation.
Primary references
Sources that informed the current posture. Included for transparency; this doesn't turn the page into legal advice.
Related policies
The other pages that round out the trust posture for Macro by Mark.
Privacy Policy
How browser storage, account sync, watchlists, dashboards, and operational telemetry are handled.
Cookie Policy
Required cookies, optional analytics, consent refresh, and Global Privacy Control handling.
Privacy Choices
Export, correction, deletion, cookie controls, GPC handling, and manual request paths.
Subprocessors
Current vendors, data classes, region notes, and the institutional review path.
Terms of Use
The usage rules, no-advice framing, intellectual-property boundaries, and service protections for the site.
Acceptable Use Policy
Security boundaries, automation limits, sanctions posture, source-use rules, and enforcement paths.
Refund Policy
Subscription cancellation, default non-refundability, trial-conversion review, and support request path.
Contracts
DPA, MSA, order-form, security review, insurance, and institutional buyer request paths.
Copyright
Copyright, attribution, source-credit, takedown, provider-rights, and DMCA-agent status.
Public Status
Manual incident-communication posture, tracked service areas, and support/security channels.
Legal Changelog
Current public index of legal, privacy, security, and trust-policy updates.
Ethics & Compliance
Source transparency, no-endorsement posture, model restraint, and research-integrity guardrails.
Accessibility Statement
The accessibility posture, current limitations, and how to report a barrier or request an accommodation.