Marlonica
How it worksPricingContact
Join the waitlist

SECURITY

  1. Workspace isolation
  2. Authentication
  3. Encryption
  4. Live streaming and YouTube
  5. Storage and media delivery
  6. Application hardening
  7. Monitoring and recovery
  8. Report a vulnerability

Practical trust for operator workspaces

The basics, stated plainly: how workspaces are isolated, how you authenticate, how platform tokens and media are protected, and how to report an issue.

Last updated June 4, 2026

01Workspace isolation

Channel worlds, session packages, catalog tracks, and generated assets are scoped to your operator workspace. The API checks your workspace on every request, so one operator’s data is not reachable from another’s.

02Authentication

You sign in with email and password through our authentication layer. Passwords are stored as salted hashes, never in plain text; sessions use secure, signed cookies in production; and we support email verification. Keep your credentials private and remove collaborators who no longer need workspace access.

03Encryption

All traffic runs over HTTPS, with HTTP Strict Transport Security enforced. Sensitive platform credentials — your YouTube OAuth access and refresh tokens and your live-stream keys — are encrypted at rest with authenticated encryption (AES) before they’re written to the database.

04Live streaming and YouTube

Stations stream into your own YouTube channel through a broadcast-scoped connection — it grants live streaming and uploads to the channels you connect, not account access, and can be revoked or rotated at any time. Because each broadcast runs on your own channel, a copyright strike affects only that channel and never pools across other operators.

05Storage and media delivery

Generated media lives in private object storage. Images are served through signed, same-origin URLs; audio, video, and export bundles use short-lived presigned links. Final renders expire automatically about seven days after they’re produced, limiting how long finished media is reachable.

06Application hardening

The app sets strict security headers — Content-Security-Policy, HSTS, X-Frame-Options, content type no-sniff, and referrer and permissions policies — and applies rate limiting on sensitive endpoints and input validation across the API.

07Monitoring and recovery

We monitor the service for errors and availability, and logs are written to avoid storing personal data such as email addresses in plain text. We don’t claim controls or certifications we haven’t actually implemented — automated database and object-storage backups are being established ahead of general availability.

08Report a vulnerability

Email [email protected] with the affected route, workspace context, and enough detail to reproduce the issue without exposing secrets. We investigate good-faith reports and won’t pursue researchers who follow responsible disclosure, avoid privacy violations, and don’t disrupt the service. For how we handle the data behind these protections, see Privacy.

Marlonica

Original background music in your channel's style, streamed live on YouTube 24/7. Every track is yours to keep.

Join the waitlist →

Product

How it worksPricing

Company

Contact

Legal

TermsPrivacyResponsible AISecurity
© 2026 Marlonica, Inc. · Made for people running 24/7 YouTube music streams.