How MARFI Systems collects, uses, and protects your information across all services: Launchpad, Raptor, CyberTrustScore, Secureframe, Meter, and BOOST.
This Privacy Policy describes how MARFI Systems, Inc., a California corporation with offices at 2219 Main Street, Santa Monica, CA 90405 ("MARFI," "we," "us"), collects, uses, discloses, and protects personal information across all MARFI products and services.
This Privacy Policy applies to Clients, Users, Authorized Users, website visitors, and all individuals who interact with MARFI services, whether through Launchpad, Raptor, CyberTrustScore, Secureframe, Meter, BOOST, Professional Services, or marfi.io.
This Privacy Policy is incorporated by reference into the Terms of Service. By using any MARFI service, you agree to the practices described in this Privacy Policy.
MARFI Systems, Inc. is a California corporation operating from 2219 Main Street, Santa Monica, CA 90405. We provide AI-native managed IT and cybersecurity services to organizations across the United States.
This Privacy Policy covers:
This Privacy Policy is incorporated by reference into our Terms of Service. When there is a conflict between this Privacy Policy and the Terms of Service, the Terms of Service govern.
MARFI collects different types of information depending on which products and services you use. This section is organized by collection method and by product for transparency.
Website & Marketing:
Launchpad (Managed IT):
Raptor (Penetration Testing):
CyberTrustScore (Domain Scanner):
MARFI receives information from subprocessor platforms used to deliver services:
CyberTrustScore Public Data: CyberTrustScore scans publicly observable data including DNS records, email authentication headers (DMARC, DKIM, SPF), SSL/TLS certificates, and HTTP security headers. No consent from domain owners is required for this publicly available data.
MARFI uses personal information for the following purposes:
Providing, maintaining, and operating all MARFI services. This includes managing employee identities (Launchpad), monitoring security threats (Launchpad), executing penetration tests (Raptor), scoring domain security (CyberTrustScore), facilitating compliance (Secureframe), managing network infrastructure (Meter), and procuring software licenses (BOOST).
Detecting, investigating, and responding to security threats, incidents, and anomalies. This includes analyzing security event data, correlating threat intelligence, performing incident response, and maintaining SOC operations through CrowdStrike and Arctic Wolf partnerships.
AI Governance
MARFI does NOT train AI models on Client Data.
Sending technical notices, security alerts, support messages, service updates, invoices, and transactional communications necessary for service delivery.
Monitoring service usage patterns, performance metrics, and operational trends using anonymized and aggregated data only. Individual-level analytics are used solely for service delivery and security operations, not for marketing or profiling.
Fulfilling legal obligations, responding to legal process (subpoenas, court orders, government requests), enforcing our Terms of Service, protecting MARFI’s rights and property, and ensuring compliance with applicable laws and regulations.
Processing payments, managing subscriptions, generating invoices, and handling billing disputes. Stripe processes payment transactions for Raptor subscriptions. MARFI does not store credit card numbers.
MARFI does not sell, rent, or trade personal information to third parties. Period.
MARFI shares Client Data with subprocessors solely for service delivery. All subprocessors are contractually required to maintain confidentiality and security.
Named Subprocessors
Complete, current subprocessor list maintained at trust.marfi.io. MARFI provides 30 days’ notice before engaging a new subprocessor. Clients have a 15-day objection window following notice.
MARFI may disclose personal information when required by law, court order, or government request, or to protect the rights, safety, or property of MARFI, Clients, or the public.
Raptor Law Enforcement Disclosure
In the event of suspected misuse, unauthorized scanning, or illegal activity, MARFI may disclose Raptor scan logs, account information, and related data to law enforcement authorities, regulatory bodies, or affected third parties WITHOUT prior notice to Client and WITHOUT Client’s consent.
MARFI retains complete scan activity logs including: target IPs/domains, scan parameters, timestamps, user identity, and results. By using Raptor, Client acknowledges and accepts this disclosure term.
In the event of a merger, acquisition, or asset sale, personal information may be transferred as part of that transaction. MARFI will provide notice before personal information becomes subject to a different privacy policy.
MARFI may share personal information with third parties when you provide explicit consent for a specific purpose.
MARFI’s role in processing personal information depends on the service and context. This section aligns with Terms of Service §8.1.
For Managed Services:
MARFI processes billing and license allocation data as a processor on Client’s behalf. Underlying software vendors are independent controllers for data processed through their platforms.
MARFI is the data controller for information collected through marfi.io, billing.marfi.app, and trust.marfi.io.
MARFI implements comprehensive technical and organizational measures to protect personal information. This section aligns with Terms of Service §10.
Reports & attestations
Aligned (frameworks we map to, not certifications held)
Security documentation, compliance reports, and subprocessor information are available at trust.marfi.io. MARFI’s SOC 2 Type II report is available upon request under NDA.
MARFI retains personal information for different periods depending on the type of data and the service. This section aligns with Terms of Service §8.5, §8.6, §8.7.
Client Data is retained for the duration of the service engagement. Retention periods vary by product and data type based on operational and legal requirements.
Data Return & Deletion Requirements
Raptor:
CyberTrustScore:
Website Analytics:
Aggregated, anonymized. No individual-level retention beyond session duration.
Embedded CyberTrustScore widgets collect anonymized usage analytics:
You can control cookie acceptance through your browser settings. Disabling essential cookies may affect service functionality. MARFI does not sell or share personal information, and MARFI honors recognized universal opt-out preference signals, including the Global Privacy Control (GPC), as well as Do Not Track signals, where technically feasible.
Depending on your location and the services you use, you may have the following rights regarding your personal information:
You have the right to request a copy of your personal information. MARFI will provide data in a structured, machine-readable format (JSON, CSV, or similar). Response time: 30 days (may extend to 45 days for complex requests with notice).
You have the right to request correction of inaccurate or incomplete personal information. MARFI will verify and update records within 30 days of receiving a valid request.
You have the right to request deletion of personal information, subject to:
You have the right to opt out of promotional communications at any time by clicking the "unsubscribe" link in any marketing email or using the contact form. Transactional and security communications (invoices, security alerts, service notices) are not subject to opt-out as they are necessary for service delivery.
Upon termination of Managed Services, Client may request data export in machine-readable formats per Terms §8.5. MARFI will provide data within 30 days of written request.
To exercise any of these rights:
MARFI will verify your identity before processing requests. Verification may require additional information such as email confirmation, account credentials, or government-issued ID.
No fee for the first request in a 12-month period. MARFI may charge a reasonable fee for excessive, repetitive, or manifestly unfounded requests.
Residents of states with comprehensive privacy laws, including California, Virginia, Colorado, Connecticut, Texas, Utah, Oregon, Montana, and other states as their laws take effect, may confirm whether MARFI processes their personal information; access, correct, and delete it; obtain a portable copy; and opt out of targeted advertising, the sale of personal information, and certain profiling. MARFI does not sell personal information and does not process it for targeted advertising.
Appeals. If MARFI declines to act on your request, you may appeal by replying to our decision or by using the contact form at marfi.io. We will respond within the period your state’s law requires (generally 45-60 days). If your appeal is denied, you may contact your state Attorney General.
Notice at collection. The categories of personal information we collect and the purposes for which we use them are described in Sections 3-4 above; this serves as our notice at collection. Sensitive information. MARFI does not collect or use sensitive personal information beyond what is reasonably necessary to provide its services, and does not use it to infer characteristics about you. Retention. Where this Policy does not state a specific period, we retain personal information only as long as needed for the purposes described here, then delete or anonymize it.
California residents have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
California residents may submit requests via:
MARFI will verify your identity before processing requests. Authorized agents may submit requests on your behalf with written authorization from the consumer.
The following table summarizes the categories of personal information MARFI collects, the business purposes, and the categories of third parties with whom it’s shared:
| Category | Business Purpose | Shared With |
|---|---|---|
| Identifiers (name, email, IP) | Service delivery, authentication, support | Subprocessors (see §12) |
| Commercial information (billing, subscriptions) | Payment processing, invoicing | Stripe (payment processor) |
| Internet activity (logs, usage data) | Security monitoring, analytics | Subprocessors (security vendors) |
| Professional information (company, job title) | Account management, service delivery | Subprocessors as needed |
| Geolocation (IP-derived) | Security, rate limiting, compliance | Not shared |
For a complete list of subprocessors and their functions, see trust.marfi.io.
Each MARFI product has unique data handling practices. This section aligns with Terms of Service §21.
Public Database & No Consent Requirement:
Account Registration (Optional):
Widget Analytics:
Domain Owner Removal Requests:
Domain owners may request removal from the CyberTrustScore database using the contact form at marfi.io. Requests processed within 30 business days. Removal does not prevent re-scanning if a third party initiates a new scan. Permanent exclusion requires a separate written agreement with MARFI.
MARFI maintains a complete, current list of subprocessors at trust.marfi.io. The following table summarizes key subprocessors:
| Name | Function | Data Processed | Location |
|---|---|---|---|
| JumpCloud | Identity management | User identities, device data | United States |
| CrowdStrike | EDR, SOC operations | Endpoint telemetry, security events | United States |
| Arctic Wolf | SIEM, SOC monitoring | Security logs, network metadata | United States |
| Avanan / Check Point | Email security | Email metadata, security events | United States |
| Dropsuite | Email backup | Email content, attachments | United States |
| PHIN Security | Security training | User training data, completion status | United States |
| Atera | RMM | Device telemetry, system logs | United States |
| Secureframe | Compliance automation | Compliance evidence, policies | United States |
| Meter | Network infrastructure | Network config, traffic metadata | United States |
| Stripe | Payment processing | Payment details (Raptor) | United States |
| Stack Auth | Authentication | User credentials (Raptor) | United States |
| Anthropic | AI model provider | Inference data, MARFI AI, Raptor AI pipeline, Emergent platform (multi-LLM) | United States |
| OpenAI | AI model provider | Inference data, MARFI AI, Emergent platform (multi-LLM) | United States |
| Cloud & AI services | GCP hosting, Gemini inference, MARFI AI, Emergent platform (multi-LLM) | United States | |
| Microsoft | Cloud infrastructure | Azure services, M365 productivity | United States |
| AWS | Cloud infrastructure | Hosting, storage, compute | United States |
| Cloudflare | CDN, DDoS protection | Web traffic, DNS queries, edge caching | United States |
| Elestio | Cloud hosting | Application hosting, infrastructure | United States |
| Emergent | DevOps & custom solutioning | Development platform, custom solutions | United States |
MARFI services may contain links to third-party websites, applications, or platforms. MARFI is not responsible for the privacy practices of these third parties. We encourage you to review third-party privacy policies before providing information.
MARFI primarily processes data in the United States. Data may be transferred to and processed in jurisdictions where subprocessors operate.
MARFI ensures appropriate safeguards for international transfers, including:
MARFI is a US-based provider and processes personal information in the United States. To the extent MARFI offers services to, or monitors the behavior of, individuals in the EU/EEA such that the GDPR applies, MARFI uses Standard Contractual Clauses (SCCs) approved by the European Commission where required; copies are available upon request using the contact form. MARFI does not target the EU/EEA market, and most users will not be subject to the GDPR.
MARFI does not maintain a formal GDPR Data Protection Officer unless required by law. For GDPR-related inquiries, use the contact form.
MARFI services are not directed to individuals under 13 years of age (or 16 in jurisdictions where applicable, such as the European Economic Area).
MARFI does not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete such information promptly.
If you are a parent or guardian and believe your child has provided personal information to MARFI, please use the contact form immediately.
MARFI may update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or service offerings.
Material changes will be communicated via:
MARFI will provide 30 days’ notice before material changes take effect. Continued use of MARFI services after the notice period constitutes acceptance of the updated Privacy Policy.
For Managed Services Clients: changes that materially affect data processing obligations will be communicated directly to the authorized contact on the Service Order. Client may object to material changes within 15 days of notice. If MARFI cannot accommodate the objection, either party may terminate the Service Order without penalty.
For questions, concerns, or requests regarding this Privacy Policy or MARFI’s data practices, please contact:
Privacy Team
MARFI Systems, Inc.
2219 Main Street, Santa Monica, CA 90405
Trust Center: trust.marfi.io
If you are unsatisfied with MARFI’s response to a privacy concern, you may file a complaint with the relevant data protection authority in your jurisdiction. For California residents, contact the California Attorney General’s Office.