Mercu is a SOC II Type 2 certified organisation - this means that our services, systems and practices is at the level of, and above the industry standard.
For a copy of our SOC II report, please reach out to support@mercu.com or speak to one of our founders.
For a copy of both our SOC 2 Type 2 report and our latest grey-box pen-test, please reach out to security@mercu.com.
Data submitted to Mercu by authorised users are considered confidential. All data processed to and from Mercu infrastructure are encrypted with TLS v1.2. All data is encrypted at rest using industry-standard AES-256 encryption algorithms.
Our infrastructure is continually monitored for security vulnerabilities and updates applied automatically.
Mercu’s platform and all storage and computing capabilities are built on secure, industry-leading Amazon Web Services (AWS) Cloud infrastructure, which includes 24/7 on-site physical security and camera surveillance. For additional details regarding AWS security, visit https://aws.amazon.com/security/.
Data submitted to Mercu by authorised users are considered confidential. All data processed to and from Mercu infrastructure are encrypted with TLS v1.2. All data is encrypted at rest using industry-standard AES-256 encryption algorithms.
Our infrastructure is continually monitored for security vulnerabilities and updates applied automatically.
The following policies and procedures are followed and enforced at Mercu:
- Access Control Policy
- Asset Management Policy
- Business Continuity and Disaster Recovery Plan
- Code of Conduct
- Cryptography Policy
- Data Management Policy
- Human Resource Security Policy
- Incident Response Plan
- Information Security Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Physical Security Policy
- Risk Management Policy
- Secure Development Policy
- Third-Party Management Policy
These policies are followed by all Mercu employees and contractors, who review and accept the policies at the commencement of their employment with Mercu.
For a copy of these policies, please reach our to support@mercu.com.
- Access Control Policy
- Asset Management Policy
- Business Continuity and Disaster Recovery Plan
- Code of Conduct
- Cryptography Policy
- Data Management Policy
- Human Resource Security Policy
- Incident Response Plan
- Information Security Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Physical Security Policy
- Risk Management Policy
- Secure Development Policy
- Third-Party Management Policy
Mercu uses a number of third-party applications and services to support the delivery of our products to customers and users. Mercu’s security team has established a vendor management program that sets forth the requirements for Mercu to engage with third-party service providers.
Mercu requires all employees and contractors to sign a confidentiality agreement prior to their commencement of employment.
As part of Mercu’s onboarding process, all new joiners are required to complete a security awareness training program.
Access to customer data and personally identifiable information (PII) is limited to functions that have a business requirement to do so.
All employees are required to encrypt their hard drives, and all servers and databases are inside of AWS VPC with access controls following the principle of least privilege. All employee access to systems are logged and audited for security purposes.
Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Mercu has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.
We also maintain separate development, testing and production environments.
All employees are required to encrypt their hard drives, and all servers and databases are inside of AWS VPC with access controls following the principle of least privilege. All employee access to systems are logged and audited for security purposes.
Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Mercu has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.
We also maintain separate development, testing and production environments.