Marylink separates spacesSpaceA workspace by domain or topic where a team publishes, shares and governs its practices., manages rights, tracks versions, and can evolve from European SaaS to a dedicated instance to match your requirements.
What protects your know-how, said plainly. The technical detail for your IT & security teams follows, below.
What's in place today, and what's planned. We don't claim any certification we haven't earned.
European Union (Germany), isolated per client.
TLS 1.3 in transit; encrypted backups at rest.
Your data is never used to train third-party models, and never resold.
By space, role, group and validation step.
Every action logged and versioned, auditable.
Native PDF export, open graph export (ZIP) and MCP access. No proprietary lock-in.
Practice graphPractice GraphThe living architecture that links your practices, concepts, roles and spaces, executable by your teams and by AI.See portability →
Built for the traceability and control required by GDPR and the AI Act.
On the trajectory. Documented, not yet claimed.
Permissions are set per space and per validation step. Every notable change is surfaced and logged.
Our main sub-processors, their role and location. Transfer safeguards are set out in the DPA, provided with the contract. This list may evolve.
Continuous monitoring (HTTP, TLS, certificates) with alerts, encrypted backups and a tested restore drill. High availability target; service status and detailed SLA shared in a review.
No certification we don't have. Precise answers, and the rest on your case.
European infrastructure (servers in Germany), operated by Marylink; no data outside the EU in normal operation. TLS 1.3 in transit, backups encrypted at rest (restic), strict application-level isolation per client.
Models bound by contract, operated in-region (Europe) depending on the plan. Only the context needed for a request is sent to the provider, under their enterprise terms, and never to train third-party models.
Named accounts, strong passwords, granular rights by space, role, group and validation step. SSO/SAML and provisioning are scoped for enterprise — let's cover it in a security review.
Native PDF export and MCP access to your practices from your own systems and agents; a structured graph export (open ZIP: JSON, anonymized CSV and Markdown, GDPR art. 20 compliant) is available. On request: full export, then deletion of data and backups on the schedule agreed in the contract. No lock-in: you leave with your asset.
A documented incident-management procedure, with client notification within the agreed timeframe. Detailed in a security review, with the DPA and sub-processor list provided with the contract.

Most teams start on the European SaaS, shared and kept up to date. Organizations with strong requirements — public sector, healthcare, finance, sensitive mid-market — move to a dedicated instance, an isolated database, then the cloud of their choice or on-premise. The right level isn't imposed: it's framed with your CIO and your CISO.
Always the same product foundation, deployed for you — not a solution recoded for each client. You keep a product that gets updated; you gain the isolation, control of your know-how and branding you need. A 30-day pilot; a dedicated infrastructure if the stakes turn strategic.
Execs, IT leaders, counsel: talk directly with a founder about your trust and compliance requirements.