GLBA Compliance Statement

Margie — Pre-Underwriting Analysis Platform

Effective Date: March 22, 2026

Last Updated: March 22, 2026

1. Purpose and Scope

This GLBA Compliance Statement describes how Margie (“we,” “us,” “our”), operating the pre-underwriting analysis platform at getmargie.com (the “Platform”), complies with the Gramm-Leach-Bliley Act (“GLBA”), 15 U.S.C. §§ 6801–6809, and its implementing regulations, including the FTC Safeguards Rule (16 C.F.R. Part 314) as amended.

Margie operates as a service provider to licensed Illinois mortgage brokers. In this capacity, we receive, process, and store nonpublic personal information (“NPI”) of mortgage loan applicants (borrowers) on behalf of our broker clients. This statement documents our information security program, safeguards, and compliance measures.

2. GLBA Applicability to Margie

2.1 Regulatory Framework

The GLBA requires financial institutions to protect the security and confidentiality of customers' NPI. While Margie is not itself a financial institution, we process NPI on behalf of financial institutions (licensed mortgage brokers) and therefore maintain safeguards consistent with the GLBA's requirements.

Under the FTC Safeguards Rule (as amended effective June 9, 2023), service providers that receive NPI from financial institutions are required to maintain appropriate safeguards. Our broker clients are obligated under the GLBA to ensure that their service providers — including Margie — maintain adequate protections. This statement documents how we meet those obligations.

2.2 Categories of NPI Processed

The Platform processes the following categories of NPI contained in borrower documents:

• Identifying information: Names, addresses, dates of birth, Social Security numbers
• Employment information: Employer names, addresses, positions, income, and employment history
• Financial account information: Bank account numbers, account balances, transaction histories
• Tax information: W-2 wage and tax data, withholding amounts
• Credit and loan information: Loan application details, asset and liability disclosures, property information
• Other 1003 application data: Demographic information, housing history, declarations

3. Information Security Program

Margie maintains a written information security program designed to protect the confidentiality, integrity, and availability of NPI. The program addresses the following elements as required by the FTC Safeguards Rule.

3.1 Designated Qualified Individual

In accordance with 16 C.F.R. § 314.4(a), Margie has designated a qualified individual responsible for overseeing, implementing, and enforcing the information security program. As a pre-revenue startup, Margie's founder currently serves in this capacity. As the company scales, this responsibility will transition to a dedicated security professional. The designated individual conducts periodic reviews of the security program and documents material security events.

3.2 Risk Assessment

We conduct and document periodic risk assessments that identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of NPI, and assess the sufficiency of existing safeguards to control those risks. Risk assessments are updated at least annually and whenever material changes are made to the Platform's architecture or third-party service providers.

3.3 Safeguard Design and Implementation

Based on our risk assessments, we have designed and implemented the safeguards described in this statement. These safeguards address the identified risks and are regularly tested and monitored for effectiveness.

4. Technical Safeguards

4.1 In-Memory Processing Architecture

Margie's most significant technical safeguard is its in-memory-only document processing architecture:

• No persistent document storage. Borrower documents uploaded to the Platform are processed entirely in volatile memory (RAM). At no point during the analysis pipeline are original documents or raw document images written to disk, local file storage, cloud object storage, or any persistent medium.
• Automatic purging. When document processing completes, the memory allocated to the document data is released. Once deallocated, the data is unrecoverable through any means.
• Reduced attack surface. Because original documents are never persisted, the risk of data exposure from database breaches, stolen backups, compromised storage accounts, or physical media theft is eliminated for the document layer.
• Results separation. Only structured analysis results — containing derived analytical findings, not reproductions of the original documents — are written to persistent storage (Firebase Firestore).

This architecture means that even in the event of a full database compromise, an attacker would not gain access to original borrower documents, only to derived analysis results.

4.2 Encryption

• In transit: All data transmitted between users' browsers, Margie's servers, and third-party services is encrypted using TLS 1.2 or higher with strong cipher suites.
• At rest: Analysis results stored in Firebase Firestore are encrypted at rest using AES-256 encryption managed by Google Cloud's encryption infrastructure.
• Third-party transmission: Data sent to Azure Document Intelligence, Anthropic Claude, and Google Gemini is transmitted exclusively over encrypted channels.

4.3 Access Controls

• Authentication: User authentication is managed through Firebase Authentication, supporting secure password policies and, where available, multi-factor authentication.
• Role-based access: Access to production infrastructure, databases, and third-party service configurations is restricted to authorized personnel on a least-privilege basis.
• User data isolation: Each broker's analysis results are logically isolated in Firebase Firestore using user-scoped document paths. Brokers cannot access other brokers' data.
• API key management: Third-party API keys and credentials are stored using environment-level secrets management, not in source code or application configuration files.

4.4 Rate Limiting and Abuse Prevention

Upstash Redis enforces rate limiting on API endpoints and user actions to prevent brute-force attacks, credential stuffing, and platform abuse. Rate limits are configured to permit normal business use while blocking automated attack patterns.

4.5 Monitoring and Logging

• Error monitoring: Sentry provides real-time error tracking and alerting. Sentry is configured to exclude borrower NPI from error payloads through data scrubbing rules.
• Audit logging: The Platform maintains logs of user authentication events, file processing requests, and administrative actions.
• Anomaly detection: We monitor for unusual patterns in authentication attempts, file processing volume, and API usage that may indicate unauthorized access or abuse.

5. Third-Party Service Provider Oversight

5.1 Due Diligence

Before engaging any third-party service provider that will process NPI, we evaluate the provider's security practices, certifications, and compliance posture. We prioritize providers that maintain recognized security certifications (such as SOC 2 Type II, ISO 27001, or FedRAMP authorization).

5.2 Contractual Safeguards

We maintain data processing agreements or equivalent contractual arrangements with each third-party provider that processes NPI. These agreements require the provider to:

• Implement and maintain appropriate safeguards for NPI
• Use NPI only for the purposes of providing services to Margie
• Not retain NPI beyond the duration required to fulfill the processing request
• Notify Margie of any security incidents that may affect NPI
• Permit reasonable security assessments or provide evidence of compliance

5.3 Provider-Specific Safeguards

Azure Document Intelligence (Microsoft): Documents are transmitted to Azure for OCR processing over encrypted channels. Azure processes documents in real time and does not retain document content after the processing request is fulfilled. Microsoft maintains SOC 2 Type II compliance and operates under their enterprise data protection commitments.

Anthropic Claude: Extracted document data is transmitted to Anthropic for narrative analysis. Under Anthropic's Commercial Terms of Service, data submitted through the API is contractually prohibited from being used for model training. Anthropic's standard commercial terms include an absolute prohibition: “Anthropic may not train models on Customer Content from Services.” Data may be retained for up to 7 days for service delivery and automated safety monitoring. Anthropic maintains SOC 2 Type II compliance.

Google Gemini: Extracted document data is transmitted to Google for automated field population. Under Google Cloud's Service Specific Terms, customer data processed through paid API services is contractually prohibited from being used for model training. This protection applies automatically when accessing the Gemini API through a Cloud Project with an active billing account. Data may be temporarily retained for automated abuse monitoring. Google maintains SOC 2 Type II compliance, ISO 27001 certification, and FedRAMP authorization.

Google Firebase (Firestore & Authentication): Analysis results and user authentication data are stored in Firebase, which is part of Google Cloud Platform. Firebase Firestore provides encryption at rest and in transit, access control through security rules, and data isolation. Google Cloud maintains SOC 2 Type II compliance, ISO 27001 certification, and FedRAMP authorization.

Stripe: Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Margie does not store full payment card numbers. Stripe processes billing data in accordance with PCI DSS requirements.

Upstash Redis: Upstash processes rate-limiting metadata (user identifiers and request counts), not borrower NPI. Upstash maintains SOC 2 Type II compliance.

Sentry: Sentry receives error logs and technical metadata for application monitoring. Our Sentry integration is configured with data scrubbing rules to prevent borrower NPI from being included in error reports.

6. Incident Response

6.1 Incident Response Plan

Margie maintains an incident response plan for detecting, responding to, and recovering from security events that may compromise NPI. The plan includes:

• Detection and classification: Procedures for identifying and classifying security incidents by severity
• Containment: Immediate steps to contain the scope of an incident and prevent further exposure
• Investigation: Procedures for determining the cause, scope, and impact of an incident
• Notification: Protocols for notifying affected broker clients, borrowers (where required), and regulators in accordance with applicable breach notification laws, including the Illinois Personal Information Protection Act (815 ILCS 530)
• Remediation: Steps to address the root cause and prevent recurrence
• Documentation: Requirements for documenting incidents and response actions

6.2 Notification Obligations

In the event of a security incident involving unauthorized access to NPI, we will:

• Notify affected broker clients without unreasonable delay
• Cooperate with broker clients in their own notification and regulatory reporting obligations
• Comply with the Illinois Personal Information Protection Act's breach notification requirements, which require notification to affected Illinois residents in the most expedient time possible and without unreasonable delay
• Notify the Illinois Attorney General if the breach affects more than 500 Illinois residents

7. Data Minimization and Retention

7.1 Data Minimization

Consistent with the GLBA's principles and the FTC Safeguards Rule, we minimize the collection and retention of NPI:

• Document layer: Original borrower documents are not retained. They are processed in memory only and automatically purged upon completion.
• Results layer: Only structured analysis results necessary for the service are stored. These results contain derived findings, not full reproductions of original documents.
• Operational data: Technical and usage data collected for operational purposes is limited to what is necessary for security, performance monitoring, and billing.

7.2 Retention Schedule

7.3 Disposal

When NPI is no longer needed, it is disposed of securely:

• In-memory data: Automatically purged through memory deallocation upon processing completion
• Firestore data: Deleted through Firebase's secure deletion mechanisms, which mark data for deletion and overwrite it during the storage system's normal operations
• Logs and metadata: Automatically expired based on configured retention periods

8. Employee Training and Access

8.1 Personnel Security

Margie currently operates as a solo-founded startup. System access to production infrastructure, databases, and third-party service configurations is limited exclusively to the founder. All production access uses multi-factor authentication and follows the principle of least privilege.

8.2 Background Checks

As the team grows, all personnel granted access to systems that process or store NPI will be required to:

• Complete security awareness training upon onboarding and annually thereafter
• Acknowledge and comply with Margie's information security policies
• Use multi-factor authentication for access to production systems
• Follow the principle of least privilege for system access
• Submit to appropriate background checks, to the extent permitted by applicable law

9. Program Evaluation and Reporting

9.1 Ongoing Monitoring

The information security program is subject to continuous monitoring, including:

• Regular review of access logs and authentication events
• Monitoring of third-party provider security posture and incident disclosures
• Testing of technical safeguards, including encryption, access controls, and data isolation
• Review of the in-memory processing architecture to confirm documents are not inadvertently persisted

9.2 Annual Review

The information security program is reviewed at least annually, and updated as necessary to address:

• Changes in the Platform's technology architecture
• New or evolving threats to NPI
• Changes in applicable laws, regulations, or regulatory guidance
• Findings from risk assessments, audits, or security incidents
• Changes in third-party service providers or their security posture

9.3 Reporting

The designated qualified individual provides a written report to Margie's leadership at least annually, covering:

• The overall status of the information security program
• Material security events and incidents during the reporting period
• Results of risk assessments and testing
• Recommendations for program improvements

10. Cooperation with Broker Clients

10.1 Due Diligence Support

We recognize that our broker clients have their own GLBA compliance obligations, including oversight of their service providers. We will cooperate with reasonable due diligence requests from broker clients, including:

• Providing documentation of our security practices and safeguards
• Responding to security questionnaires
• Providing evidence of third-party security certifications where available
• Making this GLBA Compliance Statement available for review by brokers and their regulators

10.2 Regulatory Cooperation

In the event of a regulatory examination or inquiry concerning a broker client's use of Margie, we will cooperate with the broker and their regulator to the extent required by law, including providing information about our data processing practices and safeguards.

11. Regulatory References

This compliance statement is informed by and designed to satisfy the requirements of:

• Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801–6809
• FTC Safeguards Rule, 16 C.F.R. Part 314 (as amended effective June 9, 2023)
• FTC Privacy Rule, 16 C.F.R. Part 313
• Illinois Personal Information Protection Act, 815 ILCS 530
• Illinois Residential Mortgage License Act, 205 ILCS 635

12. Contact Information

For questions regarding this GLBA Compliance Statement or Margie's information security program, contact:

Margie
Email: contact@getmargie.com
Website: getmargie.com