How does dispatch work without Martomato holding customer data?

At send time the dispatch activity reads the recipient row from your warehouse, renders the template against it, posts to the channel provider, and writes only the hashed identifier and provider message ID into dispatch records. PII transit is provider-to-recipient; the gateway doesn't intercept the body.

Procurement will ask: Where does our customer data sit?

In your warehouse.
Full stop.

Q: What channels work today?

Transactional email via SendGrid, and outbound webhooks with Stripe-style HMAC signatures. SMS and mobile push are scoped for the post-beta window.

Q: Is the source open?

Not at the moment. Specific surfaces (the SQL compiler, the sandbox, the browser SDK) may open under a permissive licence once the architecture settles — the parts that benefit from inspection by security teams. The orchestrator stays closed.

Martomato is warehouse-native marketing automation. Segments compile to parameterized SQL and run inside your own BigQuery; we keep journey logic, schedules, and hashed pointers — nothing identifying. No copy-in like the engagement suites. No PII fan-out like the sync layers.

Request early access See the boundary Private development · Public beta Q4 2026

01 The data path

One boundary. Nothing identifying crosses it.

Engagement suites make you copy customer data in. Sync layers push it back out to every destination tool. Martomato queries it in place and dispatches natively — the perimeter holds.

Your GCP project

BigQuery PII at rest — names, emails, events. Never extracted, never mirrored.

SELECT user_id FROM profiles
WHERE ltv_cents >= @min_ltv
— segments run here, as parameterized SQL

What crosses out: hashed pointers, aggregate counts, provider message IDs. Nothing identifying.

Martomato gateway

Orchestration state Journey definitions, schedules, retries, audit log.

Hashed pointers only sha256 identifiers. A breach here exposes no customer data.

Channels

Email · Webhooks Rendered at send time from the warehouse row — provider to recipient, not through us.

At send time, the dispatch activity reads the recipient row from your warehouse, renders the template, and posts to the provider. The gateway never stores the body.

02 Journey canvas

Journeys compile to durable workflows

Typed nodes, validation before publish, honest time projections — a canvas your growth engineers will actually respect. Every branch below is a real node type from the product, colour and shape included.

Entrysigned_up event

Wait3 days

Conditionopened welcome?

Emailactivation nudge

Goalcompleted_setup

WebhookHMAC-signed

Exitjourney complete

yes else

Entry Wait Condition Action Channel Webhook Data Goal Exit

03 Capabilities

The whole engagement toolkit, downstream of your warehouse

03.1

Journey canvas

Triggers, waits, conditions, A/B variants, webhooks — BPMN-flavoured nodes that compile to durable workflows with retries and idempotency.

03.2

Segment builder

Filters compile to parameterized SQL and dry-run inside your BigQuery — audience size and scan cost before you commit.

03.3

Liquid templates

Live preview against real warehouse rows. Variables resolve at send time, in your project — the gateway never stores a rendered body.

03.4

Consent-gated SDK

3 KB, zero dependencies. Pre-consent events queue or drop — your choice, enforced client-side. Honors Global Privacy Control.

03.5

Frequency caps & quiet hours

Per-channel caps and quiet windows enforced at orchestration time. Webhooks exempt, by design.

03.6

Control groups & audit log

Holdouts on any journey; per-profile event timeline; every read and dispatch queryable per workspace.

04 Developers

A tracker your security review will actually read

One script tag, first-party endpoint, consent resolved before anything leaves the browser. The whole SDK is small enough to audit over coffee.

install — any pagem.js · 3 KB

<!-- Drop on any page; events stream into your raw_events table -->
<script async src="https://app.martomato.dev/m.js"
        data-write-key="mtp_wk_••••••••"
        data-endpoint="https://app.martomato.dev/api/v1/collect"></script>

SDK summary

Weight3 KB · zero dependencies

Pre-consent eventsqueue or drop — your call

Global Privacy Controlhonored

Transportfirst-party POST /collect

Identifiershashed before storage

GA4 / GTMdataLayer bridge — no re-instrumentation

05 Security & compliance

Answers for the vendor questionnaire, in advance

05.1

Zero-copy by architecture

PII residency isn't a policy promise — the gateway has no tables that could hold customer data. GDPR and CCPA exposure shrinks to your own warehouse perimeter.

05.2

Crypto-shred right-to-be-forgotten

The erasure endpoint shreds the per-profile key, rendering warehouse-side encrypted columns unreadable. Deletion is provable, not best-effort.

05.3

Signed webhooks

Outbound webhooks carry Stripe-style HMAC signatures (t=<ts>,v1=<hex>), replay-safe by construction.

05.4

Audit log, per workspace

Every read and every dispatch is recorded and queryable. Your DPO can answer "who touched what" without filing a ticket.

05.5

GCP-native deploy

Runs in your cloud, under your IAM. The warehouse connection uses a service account you mint and can revoke.

05.6

SOC 2 — honest status

Type I work has started. Type II is on the 2027 roadmap. We will not claim a report we don't hold.

06 Roadmap

Coarse on purpose

We move the milestones to match the design partners — not the other way around.

Now

Private development

Architecture stabilising, security pass landing. Small set of design partners in flight.
Q3 2026

Design-partner cohort opens

Limited seats. Hands-on onboarding and a direct line to the build team. Pricing negotiated case-by-case.
Q4 2026

Public beta on GCP Marketplace

Self-serve install into your own GCP project. Per-seat pricing live. Email + webhook channels production-ready.
2027

GA + warehouse adapters

Snowflake and Postgres warehouse support, SMS and mobile push channels, SOC 2 Type II report.

07 FAQ

Honest answers

What does "warehouse-native" actually mean in practice?

Audience definitions compile to parameterized SQL and execute against your BigQuery project (Snowflake / Postgres coming). Martomato stores hashed pointers (a sha256 of the identifier) plus orchestration metadata — never the raw PII column.

How does dispatch work without you holding our customer data?

At send time the dispatch activity reads the recipient row from your warehouse, renders the template against it, posts to the channel provider (SendGrid for email today), and writes only the hashed identifier and provider message ID into our dispatch records. PII transit is provider-to-recipient; the gateway doesn't intercept the body.

What's the compliance posture?

GDPR and CCPA are addressed by architecture — the right-to-be-forgotten endpoint crypto-shreds the per-profile key, rendering warehouse-side encrypted columns unreadable. SOC 2 Type I work has started; Type II is on the 2027 roadmap. Audit log is queryable per workspace.

What channels work today?

Transactional email via SendGrid. Outbound webhooks with Stripe-style HMAC signatures (t=<ts>,v1=<hex> scheme, replay-safe). SMS and mobile push are scoped for the post-beta window.

How will pricing work?

Per-seat once the GCP Marketplace listing is live, billed through your existing GCP invoice. Design partners receive grandfathered terms. There is no freemium tier planned — this is enterprise-segment tooling.

Is the source open?

Not at the moment. We may open specific surfaces (the SQL compiler, the sandbox, the browser SDK) under a permissive licence once the architecture settles — the parts that benefit from being inspected by your security team. The orchestrator stays closed.

When they ask where does our customer data sit? —

Now you have a one-word answer.

We're building Martomato quietly with a small set of design partners. If your team answers to a DPIA, a SOC 2 auditor, or a customer's procurement gate, we'd like to hear from you.

hello@martomato.com Design-partner cohort opens Q3 2026

In your warehouse.Full stop.