MAKLORSecurity & Trust
How Maklor protects the data of Swiss real estate firms — data residency, encryption, access control, auditability, and the AIREA agentic boundary.
Maklor — Security Whitepaperv1.0 · Sep 2026
Maklor — Security Whitepaperv1.0 · Sep 2026Maklor is the operating infrastructure for Swiss real estate. The data it holds — mandates, client relationships, valuations, and financing documents — is among the most sensitive a brokerage manages. This document describes the controls that protect it.
Maklor is operated by Mulklick GmbH, a company registered in the Canton of Zug, Switzerland. The platform is engineered around a single principle: a firm's data belongs exclusively to that firm, is processed under Swiss data-protection law (nFADP), and is never exposed to autonomous action it did not authorise.
This whitepaper covers the Maklor production platform and its supporting infrastructure. It is intended for the security, compliance, and IT leadership of firms evaluating Maklor for enterprise deployment. Specific configuration details and our most recent penetration-test summaries are available under NDA on request.
EU-hosted infrastructure (Stockholm, Sweden) · AES-256 at rest, TLS 1.3 in transit · role-based access with enforced MFA and SSO · tamper-evident audit logging · nFADP (revDSG) aligned · an AI layer that can never send, sign, or speak on a client's behalf.
Maklor — Security Whitepaperv1.0 · Sep 2026Maklor does not route your mandates, client relationships, or financial documents through global cloud providers with ambiguous jurisdiction. The platform is hosted in the European Union — at Tier III+ data centres in Stockholm, Sweden. The EEA is recognised by the Swiss Federal Council as providing adequate data protection under the nFADP, so this hosting is fully compliant, and your data is never exposed to US jurisdiction or foreign data-access statutes such as the US CLOUD Act.
| Hosting location | Tier III+ data centres in Stockholm, Sweden (EU/EEA). |
|---|---|
| Cross-border transfer | Data stays within the EU/EEA. No replication to US jurisdiction, and no transfer to countries lacking adequacy under the nFADP. |
| Jurisdiction | Mulklick GmbH (Zug) is the Swiss data controller; processing follows the nFADP (revDSG). EU hosting is covered by the Federal Council's adequacy recognition of the EEA. |
| Swiss residency option | Enterprise clients that require data residency in Switzerland can have their environment provisioned on Swiss soil on request. |
| Tenancy | Logical isolation per firm; each tenant's data is segregated and independently encrypted. |
Infrastructure is deployed across redundant EU availability zones with automated failover. Encrypted backups are taken continuously and tested for restoration on a regular schedule. Our target recovery objectives for the production platform are a recovery point objective (RPO) measured in minutes and a recovery time objective (RTO) measured in hours.
Maklor — Security Whitepaperv1.0 · Sep 2026All data is encrypted both in transit and at rest using industry-standard, modern algorithms. Encryption is applied by default and cannot be disabled by users.
| Transport | TLS 1.3 (TLS 1.2 minimum) for all client and service-to-service traffic. |
|---|---|
| Cipher policy | Strong, forward-secret cipher suites only; legacy protocols disabled. |
| Transport security | HSTS enforced; certificates managed and rotated automatically. |
| Algorithm | AES-256 for stored data and backups. |
|---|---|
| Key management | Keys are managed in a dedicated key-management service backed by hardware security modules (HSMs). Key material is never stored alongside the data it protects. |
| Key rotation | Encryption keys are rotated on a defined schedule; envelope encryption isolates per-tenant data keys. |
| Field-level protection | Particularly sensitive fields receive additional application-layer encryption. |
Your firm's data is processed within a closed environment and is never used to train third-party public AI models. Document and content processing happens inside Maklor's controlled boundary.
Maklor — Security Whitepaperv1.0 · Sep 2026Access to firm data is governed by the principle of least privilege. Users see only what their role requires, and every privileged action is authenticated, authorised, and logged.
| Model | Role-based access control (RBAC) with granular, firm-configurable roles. |
|---|---|
| Least privilege | Default-deny; access is granted explicitly and reviewed. |
| Internal access | Mulklick personnel have no standing access to tenant data. Any support access is scoped, time-bound, justified, and logged. |
| Offboarding | Centralised provisioning and immediate revocation through your identity provider. |
Administrative, operational, and data-access roles are separated so that no single actor — human or automated — can act unchecked across the platform.
Maklor — Security Whitepaperv1.0 · Sep 2026Every meaningful action in Maklor is recorded. Audit logs answer who did what, when, and from where — providing the accountability institutional clients and regulators expect.
| Coverage | Authentication events, data access, configuration changes, exports, and administrative actions. |
|---|---|
| Integrity | Append-only, tamper-evident logs retained for a defined period and protected from modification. |
| Availability | Firm administrators can review and export audit trails relevant to their tenant. |
| Monitoring | Continuous monitoring and alerting on anomalous activity; centralised log aggregation. |
AIREA is Maklor's agentic layer. It prepares the dossier, watches the financing chain, and drafts communications — but its authority is constrained in the architecture, not merely in policy. The boundary is a security control, not a marketing promise.
Maklor — Security Whitepaperv1.0 · Sep 2026| nFADP / revDSG | Maklor is engineered for compliance with the revised Swiss Federal Act on Data Protection. |
|---|---|
| Data processing | A Data Processing Agreement (DPA) is available for enterprise clients, defining roles, purposes, and obligations. |
| Sub-processors | A current list of sub-processors is maintained and disclosed to clients; all are bound by equivalent obligations. |
| Data subject rights | Tooling supports access, rectification, and erasure requests in line with nFADP. |
Security questions, vulnerability reports, or a request for our penetration-test summary: security@maklor.ch. For a guided review with our infrastructure team, request a Security Review at maklor.ch/trust.
This document is provided for informational purposes and describes the Maklor platform as of the version date above. It does not form part of any contract and may be updated. Specific commitments are governed by your agreement with Mulklick GmbH.