Mercu is in the process of attaining our SOC II Type 2 certification. We estimate to have obtained our certification by the end of October 2023.
In the meantime, please reach out to support@mercu.com for additional documentation around Mercu’s vendor security and data compliance information.
In the meantime, please reach out to support@mercu.com for additional documentation around Mercu’s vendor security and data compliance information.
Mercu’s platform and all storage and computing capabilities are built on secure, industry-leading Amazon Web Services (AWS) Cloud infrastructure, which includes 24/7 on-site physical security and camera surveillance. For additional details regarding AWS security, visit https://aws.amazon.com/security/.
Data submitted to Mercu by authorised users are considered confidential. All data processed to and from Mercu infrastructure are encrypted with TLS v1.2. All data is encrypted at rest using industry-standard AES-256 encryption algorithms.
Our infrastructure is continually monitored for security vulnerabilities and updates applied automatically.
Data submitted to Mercu by authorised users are considered confidential. All data processed to and from Mercu infrastructure are encrypted with TLS v1.2. All data is encrypted at rest using industry-standard AES-256 encryption algorithms.
Our infrastructure is continually monitored for security vulnerabilities and updates applied automatically.
The following policies and procedures are followed and enforced at Mercu:
- Access Control Policy
- Asset Management Policy
- Business Continuity and Disaster Recovery Plan
- Code of Conduct
- Cryptography Policy
- Data Management Policy
- Human Resource Security Policy
- Incident Response Plan
- Information Security Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Physical Security Policy
- Risk Management Policy
- Secure Development Policy
- Third-Party Management Policy
These policies are followed by all Mercu employees and contractors, who review and accept the policies at the commencement of their employment with Mercu.
Mercu uses a number of third-party applications and services to support the delivery of our products to customers and users. Mercu’s security team has established a vendor management program that sets forth the requirements for Mercu to engage with third-party service providers.
Mercu requires all employees and contractors to sign a confidentiality agreement prior to their commencement of employment. As part of Mercu’s onboarding process, all new joiners are required to complete a security awareness training program.
Access to customer data and personally identifiable information (PII) is limited to functions that have a business requirement to do so.
All employees are required to encrypt their hard drives, and all servers and databases are inside of AWS VPC with access controls following the principle of least privilege. All employee access to systems are logged and audited for security purposes.
Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Mercu has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.
We also maintain separate development, testing and production environments.
All employees are required to encrypt their hard drives, and all servers and databases are inside of AWS VPC with access controls following the principle of least privilege. All employee access to systems are logged and audited for security purposes.
Access to customer data requires authentication and authorization controls, including Multi-Factor Authentication (MFA). Mercu has implemented controls to ensure the integrity and confidentiality of administrative credentials and access mechanisms.
We also maintain separate development, testing and production environments.
