Security & Data Policy | Market Horizon

Security and data-handling policy for Market Horizon AI workforce deployments: data handling, access control, model routing, operational controls, and compliance posture.

Trust & Governance

Security & Data Policy

Market Horizon operates customer data with the same rigor we apply to our agent infrastructure. This page summarizes the controls in place across data handling, access, model routing, and incident response. A full technical addendum is available under NDA.

Data handling

  • Customer data is processed under a documented data-flow per engagement. No customer data is used to train foundation models.
  • Production data is segregated by tenant. Per-tenant encryption at rest and in transit (TLS 1.3) is the default.
  • Retention is contractually defined. Default agent memory and task logs auto-purge after 90 days unless extended by the customer.
  • PII and regulated data fields are flagged at ingestion and routed only to providers and regions approved by the customer.

Access control

  • Role-based access with least-privilege defaults. Approval queues are mandatory for high-stakes actions (financial write-back, communications to customers of record, irreversible operations).
  • All operator actions, agent decisions, and write-backs are logged with immutable audit trail.
  • Multi-factor authentication and SSO (SAML / OIDC) are supported and enforced for the operator console.

Model routing & provider posture

  • Frontier-model orchestration routes by task class, cost, and contractual data-residency requirements.
  • Customers can pin specific providers, regions, or self-hosted models per task class.
  • Provider zero-retention modes are enabled where available; outputs containing customer data are not retained by providers for training.

Operational controls

  • Continuous monitoring, anomaly detection, and rate-limit guards on every action plane.
  • Quarterly internal security reviews, annual external penetration testing.
  • Incident response with named on-call, customer notification, and post-incident review aligned with industry norms.

Compliance & documentation

SOC 2 Type II is in progress. GDPR, CCPA, and standard DPA terms are supported. Industry-specific addenda (HIPAA, PCI scope segregation) are available on request. Full security questionnaires and technical documentation are provided under NDA.

For specific technical questions or to request our security packet, email hello@markethorizon.com.