Security Policy

Our commitment to protecting your data with enterprise-grade security measures.

Effective: Immediate

1. Security Commitment

Mercato Agency is committed to protecting client data, customer data, and infrastructure from unauthorized access, theft, or disclosure. This Security Policy outlines our security practices to ensure the highest level of data protection and system integrity.

2. Data Encryption

2.1 Encryption at Rest

  • All stored data encrypted using AES-256 encryption
  • Database encryption enabled across AWS, Azure cloud services
  • Encryption keys managed via AWS KMS and Azure Key Vault
  • Key rotation performed annually

2.2 Encryption in Transit

  • All data transmitted via TLS 1.2 or higher
  • HTTPS enforced for all web traffic
  • API calls use OAuth 2.0 or API key authentication
  • VPN encryption for internal team access

3. Access Control

3.1 Role-Based Access Control (RBAC)

Admin
Full system access (limited to C-level + CTO)
Developer
Code and deployment access
Support
Customer data access only (anonymized where possible)
Finance
Billing data only

All roles require MFA (multi-factor authentication)

3.2 Client Access

  • Clients access dashboard via unique login credentials
  • Session timeout after 30 minutes of inactivity
  • Password reset required every 90 days
  • Clients cannot access other clients' data
  • API keys rotated quarterly

3.3 Third-Party Access

  • Third-party vendors (Shopify, Google, PayPal) granted minimal necessary access
  • Access reviewed and revoked upon contract termination
  • Non-disclosure agreements required from all vendors

4. Audit Logs & Monitoring

4.1 Logging

  • All data access logged with timestamp, user ID, action, and IP address
  • Logs retained for 90 days
  • Logs encrypted and stored separately from production data
  • Suspicious activity automatically flagged

4.2 Real-Time Monitoring

  • System health monitored 24/7 via CloudWatch (AWS)
  • Intrusion detection systems (IDS) deployed
  • DDoS protection via AWS Shield Standard
  • Alert thresholds set for unusual API activity

4.3 Annual Third-Party Audit

  • Annual independent security audit by external firm
  • Penetration testing conducted annually
  • Vulnerability scans performed quarterly
  • Audit reports available upon client request (under NDA)

5. Backup & Disaster Recovery

5.1 Backup Strategy

  • Daily automated backups of all databases
  • Backup retention: 30 days minimum
  • Backups stored in geographically distinct data centers
  • Backup encryption: AES-256

5.2 Disaster Recovery

Recovery Point Objective (RPO)
24 hours max data loss
Recovery Time Objective (RTO)
4 hours max downtime
  • Failover tested quarterly with mock disaster scenarios
  • Redundancy across AWS regions (US, EU, Asia-Pacific)

5.3 Business Continuity

  • Backup infrastructure maintained at AWS
  • Automatic failover to backup systems
  • Clients notified of any service disruptions within 1 hour

6. Vulnerability Management

6.1 Vulnerability Scanning

  • Automated code scanning for security flaws (SAST tools)
  • Dependency vulnerability tracking (npm, pip packages)
  • OS and framework security patches applied within 7 days of release

6.2 Responsible Disclosure

  • Report to: contact@mercato.agency
  • Investigation: Within 24 hours
  • Grace period: 90 days before public disclosure
  • Fixes: Deployed immediately upon patch completion

6.3 Incident Response

  • Incident response team activated within 15 minutes of breach detection
  • Client notification within 24 hours (where legally required)
  • Root cause analysis completed within 5 days
  • Post-incident report provided to client

7. Employee Security

7.1 Access Training

  • All employees complete security training annually
  • Phishing simulations conducted quarterly
  • Password managers required (1Password, LastPass)
  • NDAs signed by all employees with data access

7.2 Device Security

  • All company devices encrypted (FileVault, BitLocker)
  • Firewall enabled on all laptops
  • Antivirus software mandatory and updated daily
  • USB/external storage disabled
  • Mobile device management (MDM) enforced

7.3 Remote Work Security

  • VPN required for all remote access
  • Screen locks enforced after 5 minutes
  • Public WiFi prohibited for client data access
  • Endpoint Detection and Response (EDR) deployed

8. Third-Party Security

8.1 Vendor Assessment

  • All critical vendors undergo security assessment before onboarding
  • Criteria: SOC 2 certification, annual audits, compliance certifications
  • Contracts include security requirements and audit rights

8.2 LLM Provider Security (OpenAI, Google, Anthropic)

OpenAI
SOC 2 Type II certified
No training on customer data (by default)
Google Gemini
SOC 2 Type II certified
GDPR/CCPA compliant
Anthropic
SOC 2 Type II certified
No data retention policy

Note: Clients may opt-out of LLM model training

9. Compliance Certifications

GDPR
EU customer data protection
Compliant
CCPA
California customer data
Compliant
India IT Act, 2000
Indian regulations
Full Compliance
SOC 2 Type II
Target certification
Planned Q1 2026
ISO 27001
Information security standard
Planned 2026

10. Incident Notification

In the event of a data breach or security incident:

1
Detection
Identified within 1 hour
2
Investigation
Completed within 24 hours
3
Client Notification
Within 24 hours (email, phone)
4
Regulatory Notification
Within required timeline per law
5
Public Disclosure
Only if legally required
Start Your Transformation

Ready to Transform Your Sales?

Join hundreds of fashion brands increasing their conversion rates by 20-30%. Schedule a personalized discovery call to see your ROI potential.