Mercato Logo

Security Policy

Our commitment to protecting your data with enterprise-grade security measures.

Effective: Immediate

Table of Contents

1. Security Commitment2. Data Encryption3. Access Control4. Audit Logs5. Backup & Recovery6. Vulnerability Management7. Employee Security8. Third-Party Security9. Compliance10. Incident Notification11. Contact

1. Security Commitment

Mercato Agency is committed to protecting client data, customer data, and infrastructure from unauthorized access, theft, or disclosure. This Security Policy outlines our security practices to ensure the highest level of data protection and system integrity.

2. Data Encryption

2.1 Encryption at Rest

  • All stored data encrypted using AES-256 encryption
  • Database encryption enabled across AWS, Azure cloud services
  • Encryption keys managed via AWS KMS and Azure Key Vault
  • Key rotation performed annually

2.2 Encryption in Transit

  • All data transmitted via TLS 1.2 or higher
  • HTTPS enforced for all web traffic
  • API calls use OAuth 2.0 or API key authentication
  • VPN encryption for internal team access

3. Access Control

3.1 Role-Based Access Control (RBAC)

Admin:Full system access (limited to C-level + CTO)
Developer:Code and deployment access
Support:Customer data access only (anonymized)
Finance:Billing data only

✓ All roles require MFA (multi-factor authentication)

3.2 Client Access

  • Unique login credentials for dashboard access
  • Session timeout after 30 minutes of inactivity
  • Password reset required every 90 days
  • API keys rotated quarterly

3.3 Third-Party Access

  • 🔒Third-party vendors granted minimal necessary access
  • 🔒Access reviewed and revoked upon contract termination
  • 🔒Non-disclosure agreements required from all vendors

4. Audit Logs & Monitoring

4.1 Logging

  • All data access logged with timestamp, user ID, action, and IP address
  • Logs retained for 90 days
  • Logs encrypted and stored separately from production data
  • Suspicious activity automatically flagged

4.2 Real-Time Monitoring

System health monitored 24/7 via CloudWatch
Intrusion detection systems (IDS) deployed
DDoS protection via AWS Shield Standard
Alert thresholds for unusual API activity

4.3 Annual Third-Party Audit

  • Annual independent security audit by external firm
  • Penetration testing conducted annually
  • Vulnerability scans performed quarterly
  • Audit reports available upon client request (under NDA)

5. Backup & Disaster Recovery

5.1 Backup Strategy

  • 💾Daily automated backups of all databases
  • 💾Backup retention: 30 days minimum
  • 💾Backups stored in geographically distinct data centers
  • 💾Backup encryption: AES-256

5.2 Disaster Recovery

Recovery Point Objective (RPO)
24 hours max data loss
Recovery Time Objective (RTO)
4 hours max downtime
  • Failover tested quarterly with mock disaster scenarios
  • Redundancy across AWS regions (US, EU, Asia-Pacific)

5.3 Business Continuity

  • Backup infrastructure maintained at AWS
  • Automatic failover to backup systems
  • Clients notified of any service disruptions within 1 hour

6. Vulnerability Management

6.1 Vulnerability Scanning

  • 🔍Automated code scanning for security flaws (SAST tools)
  • 🔍Dependency vulnerability tracking (npm, pip packages)
  • 🔍OS and framework security patches applied within 7 days of release

6.2 Responsible Disclosure

  • Report to: contact@mercato.agency
  • Investigation: Within 24 hours
  • Grace period: 90 days before public disclosure
  • Fixes: Deployed immediately upon patch completion

6.3 Incident Response

  • ⚠️Incident response team activated within 15 minutes of breach detection
  • ⚠️Client notification within 24 hours (where legally required)
  • ⚠️Root cause analysis completed within 5 days
  • ⚠️Post-incident report provided to client

7. Employee Security

7.1 Access Training

  • All employees complete security training annually
  • Phishing simulations conducted quarterly
  • Password managers required (1Password, LastPass)
  • NDAs signed by all employees with data access

7.2 Device Security

All company devices encrypted
Firewall enabled on all laptops
Antivirus software mandatory
USB/external storage disabled
Mobile device management (MDM) enforced

7.3 Remote Work Security

  • 📡VPN required for all remote access
  • 📡Screen locks enforced after 5 minutes
  • 📡Public WiFi prohibited for client data access
  • 📡Endpoint Detection and Response (EDR) deployed

8. Third-Party Security

8.1 Vendor Assessment

  • All critical vendors undergo security assessment before onboarding
  • Criteria: SOC 2 certification, annual audits, compliance certifications
  • Contracts include security requirements and audit rights

8.2 LLM Provider Security

OpenAI
SOC 2 Type II certified | No training on customer data
Google Gemini
SOC 2 Type II certified | GDPR/CCPA compliant
Anthropic
SOC 2 Type II certified | No data retention policy

Note: Clients may opt-out of LLM model training

9. Compliance Certifications

🏆
GDPR
EU customer data protection
Compliant
🏆
CCPA
California customer data
Compliant
🏆
India IT Act, 2000
Indian regulations
Full Compliance
🎯
SOC 2 Type II
Target certification
Planned Q1 2026
🎯
ISO 27001
Information security standard
Planned 2026

10. Incident Notification

In the event of a data breach or security incident:

1
Detection
Identified within 1 hour
2
Investigation
Completed within 24 hours
3
Client Notification
Within 24 hours (email, phone)
4
Regulatory Notification
Within required timeline per law
5
Public Disclosure
Only if legally required

11. Contact

For security inquiries or to report a security issue:

🔴Critical incidents: 15 minute response

📧contact@mercato.agency

Designed for Fashion Brands

Ready to Elevate Your
Fashion Experience?

Transform Your E-Commerce Into a Personalized Styling Journey—All Within Minutes. Start for Free.

Get Started