Mercando

Security

How we protect your data

Our Commitment to Security

At Mercando, security is not an afterthought—it's fundamental to how we build and operate our platform. We implement comprehensive security measures to protect your documents and data at every level.

Encryption

Data at Rest

  • AES-256-GCM: All documents are encrypted using AES-256-GCM, the same standard used by governments and financial institutions
  • Per-Document Keys: Each document is encrypted with a unique encryption key
  • Key Encryption: Encryption keys are protected with additional layers of encryption

Data in Transit

  • TLS 1.3: All data transmitted between your browser and our servers is encrypted
  • HSTS: HTTP Strict Transport Security enforces secure connections
  • Certificate Pinning: Protection against man-in-the-middle attacks

Client-Side Encryption (Optional)

  • RSA-4096: Optional end-to-end encryption with 4096-bit RSA keys
  • Zero-Knowledge: With client-side encryption, we cannot access your document contents
  • PBKDF2: Key derivation with 600,000 iterations for maximum protection

Access Control

  • Role-Based Access Control (RBAC): Granular permissions based on user roles
  • Multi-Tenant Isolation: Complete data separation between organizations
  • Principle of Least Privilege: Users only have access to what they need
  • Session Management: Secure session handling with automatic timeout
  • OAuth 2.0: Support for enterprise identity providers

Infrastructure Security

  • Cloud Infrastructure: Hosted on AWS with SOC 2 and ISO 27001 certified data centers
  • Network Security: Firewalls, intrusion detection, and DDoS protection
  • Regular Backups: Automated backups with encryption
  • Disaster Recovery: Multi-region redundancy for business continuity

Audit Logging

We maintain comprehensive audit logs for compliance and security monitoring:

  • All document access and modifications are logged
  • User authentication and authorization events are tracked
  • Administrative actions are recorded
  • Logs are retained for a minimum of 7 years
  • Logs are protected against tampering

Incident Response

Our incident response program includes:

  • 24/7 security monitoring and alerting
  • Defined incident response procedures
  • Breach notification within 72 hours as required by GDPR
  • Regular incident response drills
  • Post-incident analysis and improvement

Compliance

We are committed to meeting the highest compliance standards:

  • GDPR: Full compliance with EU data protection requirements
  • 5-Year Retention: Compliance with Ley Debida Diligencia requirements
  • SOC 2 Type II: (Target certification)
  • ISO 27001: (Target certification)

Vulnerability Management

  • Regular security assessments and penetration testing
  • Automated vulnerability scanning
  • Timely patching of security vulnerabilities
  • Secure software development lifecycle (SSDLC)
  • Code review and security testing

Employee Security

  • Background checks for all employees
  • Security awareness training
  • Confidentiality agreements
  • Principle of least privilege for internal access
  • Regular security training updates

Report a Security Issue

If you discover a security vulnerability, please report it responsibly:

Email: security@nimbbo.com

We appreciate responsible disclosure and will work with you to address any valid security concerns promptly.

Terms of Service Privacy Policy Data Processing Agreement