Security and compliance

Compliance and certifications

• SOC 2 Type 2: in progress, observation window opens 2026-07-01. Report available under NDA on request.
• GDPR: processor commitments under our Data Processing Addendum, EU SCCs in place for non-EEA transfers.
• India DPDP Act: processor commitments, 14-day internal response target for data principal requests.
• ISO 27001: planned for 2027.
• Penetration test summary letter: available under NDA on request.

Data residency

• Primary processing in the EEA: Wasabi Frankfurt, OVH France.
• US replication is for disaster recovery only (Wasabi us-east-1).
• India operations from our Bengaluru office.
• Full list at mercemur.com/legal/subprocessors.

Encryption

• TLS 1.2 and higher in transit.
• AES-256 at rest.
• Application-level AES-256-GCM for license keys and per-tenant payment credentials.
• Wasabi server-side encryption for object storage.
• Postgres plus LUKS disk encryption at the host layer.

Access control

• MFA enforced on all admin accounts. WebAuthn primary, TOTP fallback, SMS prohibited.
• Per-tenant Row-Level Security enforced at the database layer.
• Role-based access control with a documented access matrix.
• Quarterly access reviews. 24-hour offboarding SLA.

Logging and monitoring

• 24/7 alerting via PagerDuty.
• Immutable audit log tables retained 7 years under Object Lock.
• SIEM detection rules covering cross-tenant access patterns, credential anomalies, and exfiltration heuristics.
• Public status page at status.mercemur.com.

Backup and disaster recovery

• RPO 5 minutes for Tier 1 data. RTO 4 hours.
• Postgres backups every 5 minutes (WAL streaming) plus daily snapshots.
• Wasabi object versioning with Object Lock for audit data.
• Quarterly restore drills. Annual full DR failover.

Sub-processors

The full list, with locations and transfer bases, is published at mercemur.com/legal/subprocessors. You can subscribe to 30-day-advance email notifications for additions or replacements from that page.

Penetration testing

• Annual external penetration test (gray-box, OWASP ASVS Level 2).
• Semi-annual focused test on payment and crypto subsystems.
• Ad-hoc tests on major changes.
• Summary letter available on request under NDA.

Vulnerability disclosure

Coordinated disclosure program at mercemur.com/security/policy. Our security.txt is published per RFC 9116 at /.well-known/security.txt. PGP-encrypted support@mercemur.com preferred. Response SLAs are published on the policy page.

Privacy commitments

• Privacy Policy
• Cookie Policy
• DSAR submissions via support@mercemur.com or the in-app Privacy form.
• 30-day GDPR response target, 14-day DPDP internal target.

Request documentation

The following documents are available on request, most under NDA: SOC 2 Type 2 report (when published), DPA template, security questionnaire response (CAIQ), penetration test summary letter, and architecture overview.

Security FAQ

Where is my data stored?

Your account data and your store's operational data are stored primarily in our EEA region (OVH France for compute, Wasabi Frankfurt for object storage). A disaster-recovery replica exists in Wasabi US East. All transfers between regions are governed by EU Standard Contractual Clauses. See mercemur.com/legal/subprocessors for the full list.

Who can access my data?

Only a small group of named Mercemur personnel with documented business need. Production access is restricted to Engineering Lead, Senior Engineers, CTO, and Security Lead. Every access event is logged. Quarterly access reviews verify ongoing necessity. We do not contract out admin access to third parties.

What happens to my data if I leave?

On account termination you receive a 90-day window to export all data via our Export API. After 90 days, your data is anonymized (PII replaced with hashes) except where legal retention applies (tax records, audit logs under regulatory hold). Wasabi-stored files are deleted.

How do you handle a breach?

Our Incident Response Plan defines a 4-phase process: Detect, Contain, Eradicate, Recover. Sev0 customer-data exposure triggers customer notification within 24 hours. GDPR 72-hour regulator notification clock starts at confirmation. Post-mortem within 5 business days for Sev0 and Sev1.

Do you sell my data?

No. We never sell merchant or customer data. We never share it with third parties for marketing or advertising purposes. The only sharing is with sub-processors strictly necessary to deliver the service, and only under contractual DPA and SCC terms.

Are you HIPAA-compliant?

Not directly. Mercemur is not designed for PHI processing. If a merchant's use case involves health data, we can act as a Business Associate under a separate BAA on request; HIPAA processing requires explicit advance written agreement.

Are you PCI compliant?

Mercemur itself is not in PCI DSS scope because we do not store, process, or transmit card numbers. Card data flows directly from your end-customers to Stripe, Razorpay, or Dodo Payments, all of which are PCI DSS Level 1 certified. We never see card numbers, CVV, or expiry.

How do you train staff?

Every employee and contractor completes a 60-minute security awareness training plus a 90-minute Mercemur-specific session within Week 1. Annual refresher with quiz; quarterly phishing simulations; engineering staff receive additional role-specific training on RLS, payment integration, crypto, and SSRF.

Do you do background checks?

Yes for any role with production access. Pre-employment. Results restricted to HR Lead and Security Lead.

How is multi-tenancy enforced?

At the database layer via PostgreSQL Row-Level Security (RLS). Three layers of enforcement: RLS policies on every multi-tenant table, automatic tenant-stamping triggers, and 'triple-guard' hardening on tables exposed to webhook ingress. Cross-tenant queries occur in only three documented places (license validation, billing metering, support admin) and are audited.

Can I export my data?

Yes. The admin dashboard provides export tooling for product catalog, customer list, order history, and store configuration. Machine-readable JSON. Includes assistance for portability migrations to alternate providers.

How often do you rotate encryption keys?

JWT signing keys: 12 months default, 6 months for high-value. Database passwords: annual. API keys for SaaS providers: annual or on-demand. TLS certificates: 90 days (Let's Encrypt, auto-renewed). License key encryption key: rotated on planned migration with two-officer ceremony.

Who has access to encryption keys?

Production keys held by CTO and Security Lead only. The license key encryption key requires both for rotation. The sealed-secrets backup key requires two-officer presence (CTO and CEO). Hardware-backed where possible.

How do you protect against insider threats?

Named accounts only (no shared credentials), comprehensive audit logging, segregation of duties where team size allows plus compensating controls where not, quarterly access reviews, mandatory training, anonymous whistleblower channel, and a Code of Conduct with consequences scaling to termination and legal action.

How can I report a vulnerability?

Email support@mercemur.com with PGP-encrypted message preferred. Public reporting policy at mercemur.com/security/policy. We commit to 24-hour acknowledgment, coordinated disclosure timeline (90 days default, negotiable), and safe harbor for good-faith research.

What's your uptime guarantee?

99.5% monthly uptime per our SLA. Status page at status.mercemur.com. Service credits per the SLA schedule for missed targets.

How do you handle data subject access requests?

Email support@mercemur.com or submit via the in-app Privacy form. 30-day GDPR response target, 14-day DPDP internal target. Identity verification required.

Are your sub-processors vetted?

Yes. Six-axis risk scoring (attestations, financial stability, data location, breach history, support SLA, exit plan) at onboarding and annual review. Active sub-processors listed at mercemur.com/legal/subprocessors. We collect annual SOC 2 reports from all critical sub-processors.

Can I get a copy of your SOC 2 report?

Yes, on request under NDA. Submit via the documentation request form on this page or email support@mercemur.com.

How long do you retain my data?

Account data: lifetime of account plus 90 days. Operational data: lifetime of merchant relationship plus 90 days post-termination, then anonymized. Audit logs: 7 years for legal hold. Backups: 35 days rolling plus 12 months of monthly snapshots.

Security contact

Email support@mercemur.com. PGP key at /.well-known/pgp-key.txt. Response SLAs in our Vulnerability Disclosure Policy.