Enterprise Security

Security at Merka2a

We protect your business data with bank-grade encryption, strict access controls, and continuous monitoring.

SOC 2 Type II

In Progress

GDPR

Compliant

PCI DSS

Via Stripe

256-bit TLS

Encrypted

Infrastructure Security

Our platform runs on battle-tested cloud infrastructure with multiple layers of protection.

Cloud Infrastructure

Hosted on Railway (AWS us-east-1)
Database on Supabase (AWS)
Automatic backups with point-in-time recovery
Multi-AZ redundancy for high availability

Network Security

All traffic encrypted with TLS 1.3
DDoS protection at edge
Web Application Firewall (WAF)
Rate limiting on all API endpoints

Application Security

Fastify with security headers (Helmet)
CSRF protection on all forms
XSS prevention with DOMPurify
SQL injection prevention via parameterized queries

Monitoring & Response

24/7 automated monitoring
Real-time alerting on anomalies
Sentry error tracking
Incident response procedures in place

Data Handling

Your data is handled with the highest standards of care and protection.

Encryption at Rest

All data is encrypted using AES-256 encryption. Database backups are encrypted with separate keys.

Encryption in Transit

All connections use TLS 1.3 with modern cipher suites. HSTS is enforced on all domains.

Access Control

Role-based access control (RBAC) limits data access. API keys use secure hashing (bcrypt). Session tokens expire after 7 days.

Data Retention

Transaction data retained for 7 years for compliance. Personal data deleted upon request within 30 days per GDPR.

Third-Party Processors

We use Stripe for payments (PCI DSS Level 1), Supabase for database, and Railway for hosting. All processors are GDPR compliant.

Payment Security

Financial transactions are protected by industry-leading security measures.

Powered by Stripe

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers on our servers.

PCI DSS Level 1 compliant
3D Secure authentication supported
Fraud detection with Radar
Tokenized card storage

Security Practices

How we build and maintain secure systems.

Secure Development

Code review required for all changes
Automated security scanning (SAST)
Dependency vulnerability monitoring
TypeScript with strict type checking

Access Management

Principle of least privilege
MFA required for all team members
Regular access reviews
Audit logging on sensitive operations

Incident Response

Documented incident response plan
24-hour response SLA
Post-incident reviews
Customer notification procedures

Report a Security Issue

We take security seriously. If you discover a vulnerability, please report it responsibly.

security@merka2a.com

Response Time

Within 24 hours

What to include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Your contact information

Have questions about our security practices?