Logo
Data Protection & Security

Security Policy

Mercato Agency is committed to maintaining the highest standards of security and data protection for all information it processes. This Security Policy outlines our comprehensive practices for protecting data against unauthorized access, disclosure, alteration, and loss.

Last Updated: January 2025
Global Compliance
ISO 27001 Aligned

Security Overview

This Security Policy applies to all Mercato employees, contractors, systems, and operations worldwide. We maintain documented policies and procedures aligned with international best practices.

Standards Compliance

  • • ISO/IEC 27001 Framework
  • • NIST Cybersecurity Framework
  • • GDPR Requirements
  • • SOC 2 Controls

Continuous Improvement

  • • Annual Policy Reviews
  • • Regular Security Training
  • • Threat Assessment Updates
  • • Compliance Monitoring

Security Governance

Security of customer and company data is overseen by our Information Security Committee and Data Protection Officer.

Key Responsibilities

Information Security Committee oversight
Data Protection Officer guidance
Annual policy reviews and updates
Mandatory security awareness training
Confidentiality agreements for all staff
Regular compliance assessments

Technical Security Controls

Encryption

Mercato uses strong encryption to protect data at rest and in transit. This is a critical technical measure to ensure appropriate security levels.

Data at Rest

  • • AES-256 encryption for databases
  • • Encrypted backups and files
  • • Secure key management

Data in Transit

  • • Industry-standard TLS/SSL
  • • Secure API communications
  • • VPN for remote access

Access Control

Access to systems and data is granted on a least-privilege basis with comprehensive authentication measures.

Authentication

  • Strong passwords required
  • Multi-factor authentication (MFA)
  • Regular access reviews

Authorization

  • Role-based permissions
  • Least-privilege principle
  • Automated access management

Monitoring

  • Account activity tracking
  • Unused account detection
  • Prompt access revocation

Network & Infrastructure Security

Network Protection

  • Firewall protection
  • Intrusion detection/prevention
  • Network segmentation
  • Traffic monitoring

Server Security

  • Server hardening
  • Prompt patching
  • Automatic updates
  • Vulnerability scanning

Cloud Services & Third-Party Security

We use reputable cloud providers and maintain strict security standards for all integrations.

Google Cloud PlatformLinkedIn APIAirtableISO 27001SOC 2GDPR

All third-party integrations require data processing agreements and equivalent security controls.

Organizational Security Measures

Security Training

  • Annual security training for all staff
  • Phishing awareness programs
  • Data handling procedures
  • Incident reporting protocols

Physical Security

  • Badge access control
  • Surveillance cameras
  • Visitor logs
  • Encrypted portable devices

Change Management

  • Formal change control processes
  • Emergency change procedures
  • Documentation requirements
  • Testing prior to implementation

Data Handling

  • Secure vault systems for sensitive data
  • Cryptographic erasure procedures
  • Locked cabinet storage
  • Secure disposal methods

Vendor Management

Before engaging any vendor or service provider that processes personal data, Mercato conducts thorough due diligence.

  • • Security posture confirmation before engagement
  • • GDPR Article 28-type clauses in all contracts
  • • Mandatory data protection and confidentiality requirements
  • • Immediate incident reporting obligations

Incident Response & Breach Protocol

Mercato has a documented Incident Response Plan that ensures rapid and effective response to security incidents.

1

Detection & Analysis

Security teams are alerted through monitoring systems and user reports. The incident is logged and classified by severity.

2

Containment & Eradication

Immediate steps to isolate affected systems, stop attacks (disconnect networks, revoke credentials), and remove malicious elements.

3

Recovery

Systems are restored from secure backups, and affected data is recovered or rebuilt to resume normal operations.

4

Notification

GDPR-compliant notification to authorities within 72 hours and affected individuals when high-risk breaches occur.

5

Post-Incident Review

Formal review to document root causes, evaluate response effectiveness, and update defenses to prevent recurrence.

GDPR Compliance

All security incidents are recorded in an internal register as required by GDPR Article 33.

72-Hour Notification Rule

Under GDPR, we notify the lead data protection authority "without undue delay and, where feasible, not later than 72 hours" after becoming aware of any breach involving personal data.

Continuous Monitoring & Auditing

Mercato conducts regular internal audits of security controls and maintains continuous compliance monitoring.

Internal Monitoring

  • System logs monitoring
  • Access records analysis
  • Storage device monitoring

External Audits

  • Third-party security assessments
  • Penetration testing
  • Cloud compliance reviews

Physical Security

  • Secured data centers with 24/7 monitoring
  • Surveillance cameras and access logs
  • Restricted badge access
  • Secure disposal of hardware