SECURITY
Your data security is our top priority. We implement industry-leading practices to protect your store, customers, and transactions.
COMPLIANCE AND CERTIFICATIONS
SOC 2 Type II
Certified
PCI DSS
Level 1 Compliant
GDPR
Fully Compliant
CCPA
Privacy Compliant
All data is encrypted using AES-256 at rest and TLS 1.3 in transit. Sensitive information is never stored in plain text. Database backups are encrypted and stored in geographically distributed locations.
We maintain PCI DSS Level 1 compliance for payment processing, the highest level of certification. Card data is handled exclusively by certified payment processors. We never store full card numbers on our systems.
Protect your account with 2FA using authenticator apps or SMS verification. Two-factor authentication is required for all admin accounts and recommended for all users.
Your data is automatically backed up daily with point-in-time recovery capabilities. We maintain 30-day retention as standard, with extended retention available for enterprise customers.
Hosted on industry-leading cloud providers with SOC 2 Type II certification and 99.99% uptime SLA. Our infrastructure spans multiple availability zones to ensure high availability and disaster recovery.
Multi-tenant architecture with strict network isolation between customer environments using VPC segmentation. Each tenant's data is logically separated with row-level security policies.
Enterprise-grade DDoS mitigation protects your store from malicious traffic and attacks 24/7. Traffic is filtered at the edge before reaching your store infrastructure.
Role-based access control (RBAC) and principle of least privilege for all systems. Full audit logging for all administrative actions with immutable log storage.
24/7 monitoring with comprehensive logging and alerting for security events. Real-time threat detection using industry-standard SIEM tools.
We only collect and retain data necessary for providing our services. No unnecessary tracking or data harvesting. We do not sell your data to third parties.
Export your data anytime in standard formats. Your data belongs to you, and you can take it with you if you leave. We provide CSV, JSON, and API-based export options.
Request complete deletion of your data at any time. We honor all deletion requests within 30 days per GDPR requirements, including removal from all backups.
All third-party vendors undergo rigorous security assessments. We only work with providers who meet our security standards and maintain appropriate compliance certifications.
We conduct regular security audits and penetration testing by independent third parties to identify and address vulnerabilities proactively.
Found a security issue? We appreciate responsible disclosure and work quickly to address any reported vulnerabilities.
security@mercantileos.comWe respond to all security reports within 24 hours.