Security is Our Priority

Security is our priority

We’re committed to security and keeping data 100% protected.

SOC 1 and SOC 2

Mesh Paymentshas received a SOC 1 and SOC 2 Type II reports demonstrating that Mesh Payments has the appropriate controls in place to mitigate the risks related to security, availability, and confidentiality.

Mesh Paymentshas is committed to carrying out an annual SOC 1 and SOC 2 audit.

Customers or potential customers interested in attaining a copy of our SOC 1 and SOC 2 report can contact us.

Data Privacy

Mesh Payments ensures data protection and privacy by design, by combining enterprise-grade security features with comprehensive audits of our policies, applications, systems, and networks.

GDPR and CCPA

Our products comply with global data protection and privacy laws that apply to us and our customers, such as the GDPR and CCPA. 

The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.

All customers are given the choice of Additional Notice and Opt-Out by Mesh Payments.

Have inquiries about data privacy? Contact us at privacy@meshpayments.com.

Here are some of the security measures we're taking to keep your data secure:

01

Infrastructure

All of our services run in the cloud. We don’t host or run our own network devices, application load balancers, or physical servers.

Mesh Payments platform and services are hosted on Amazon Web Services (AWS) in North America.

02

Anti-DdoS and WAF

Our infrastructure is protected from DDoS attacks via AWS Cloudfront and Shield.

Mesh Payments uses an industry leading Cloud WAF provider.

AWS provide strong security measures to protect our infrastructure and are compliant with most certifications.

03

Physical Security

Mesh Payments does not maintain physical servers. Access to Mesh Payments’s offices is restricted to employees and Mesh Payments does maintain physical access controls and procedures covering visitor and third party access.

Physical security of our data center is managed by AWS. Please see this page for more details.

04

Browser Security

We automatically end browser sessions after a period of idle activity.

05

SAML SSO Account Protection

Mesh Payments platfotm is passwordless.

Access to our platform is only allowed through a trusted Single Sign-On provider.

Mesh Payments supports any Identity Providers that are using the open SAML standard (e.g., Microsoft Entra, Okta, Google Workspace, Azure ID, Auth0).

The SSO mechanism also supports biometric authentication.

06

Multi Factor Authentication

Mesh Payments leverages automated systems to proactively prevent account takeover attempts and other malicious requests. We require all accounts to opt into multi factor authentication and immediately verify suspicious activity with the business owner.

We require multi-factor authentication (MFA) for all company administrators with access to sensitive company information and controls.

Two-factor authentication is required for all Mesh Payments users and can be done using SMS, WhatsApp (in specific countries only), or via an SSO provider. On mobile devices, biometric authentication is supported.

07

Account Security

Encryption-at-rest

Customer data is encrypted at-rest using AES-256, and strong RSA key (4096 bits).

Encryption-in-transit

All public endpoints use TLS 1.2 or higher for encryption in transit.

Idle lockouts

Mesh Payments forces automatic signouts after inactivity to prevent unsanctioned access or use of the user’s account.

Tokenization

Mesh uses tokenization to protect your card and CVV numbers.

08

Disaster Recovery

We are able to leverage AWS's disaster recovery capabilities to restore backup snapshots in different AWS region as needed.

09

Backups Enabled

Backups are taken daily through AWS and are tested on a regular basis.

Data Retention

The Company has responsibilities over the financial data it processes for customers.

Data will be retained in accordance with applicable regulations and compliance requirements, and according to data type (financial data, personal data, customer security event logs, system logs, etc). Additional details are available in our privacy policy at www.meshpayments.com/privacy.

10

Incident response

Mesh payments follows an established procedure for responding appropriately to potential incidents. All suspected incidents are managed by our Security team with mature logging, monitoring, and alerting capabilities.

11

Network Diagram

Mesh Payments maintains network diagrams, however, these are not shared externally.

12

Least Privileges and Audit Logging

As standard best practice, we adhere to the notion of least privileges, whereby only a small subset of personnel have the means to view your data, and only when needed to support you.

Our authorized personnel sign a Non-Disclosure and Confidentiality Agreement to protect our customers sensitive information.

Naturally, all data access is logged and monitored for audit purposes too.

13

Remote Access

Authorized personnel are mandated to utilize a Zero-Trust tool (VPN) and MFA to access Production environment.

14

Access Monitoring

Mesh Payment has standards in place to ensure appropriate data access and usage. Our controls address the provisioning, deprovisioning and auditing of role-based access to data according to least privilege as well as employee background checks, logging, alerting, monitoring, and endpoint security mechanisms.

15

Application security monitoring

We use an industry-leading cloud-native monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.

We use technologies to monitor exceptions, logs and detect anomalies in our applications.

We collect and store logs to provide an audit trail of our applications activity.

16

Secure Codebase

We perform static & dynamic code analysis as well as Software Composition Analysis (SCA) of open-source libraries. Additionally, we have deployed Runtime application security and observability tool.

17

Credential Management (Platform)

Infrastructure secrets are securely stored and managed using AWS KMS.

18

Penetration Testing

Mesh Payments continuously undergoes penetration testing to check for any vulnerabilities in our infrastructure. The tests are augmented by manual "business logic assessment" reviews on a periodic cadence.

19

Protection Against Unauthorized or Malicious Software

EDR software is installed on the company-owned workstations (laptops) and is configured to detect and prevent malware.

Additionally, software patches are applied on continuous basis by the company MDM solution.

20

Security Awareness program

Mesh Payments Security department provides security and data privacy awareness training to all new employees upon hire, and to all Company personnel at least once per calendar year (through dedicated Security Awareness platform) to help employees understand their obligations and responsibilities to comply with the Company’s security and confidentiality policies and procedures, including the identification and reporting of incidents.

21

HR Security

Employees with access to company data undergo background checks (where applicable) and accept information security policies during the onboarding process.

22

Credentials Security (Corporate)

Employees are required to use passkey, internal SSO, and MFA to enhance the security of their accounts, with passwords only used as a backup authentication method.

All other credentials are required to be stored using a secure, company-controlled password manager.

23

Security Policies

The information security policies for Mesh Payments are mantained and annually updated by the CISO.

Mesh Payments' defined set of policies for information security includes, among others, Information Security Policy, Acceptable Use Policy, BCP, Backup Policy, Data Clasifficaton Policy, Code of Conduct, DRP, Kubernetes Security Policy, Encryption Policy, Software Development Life Cycle Policy, Vendor Management Policy, and others.

24

External Risk Assessment

Mesh Payments undergoes a yearly review by a well-known external security firm to verify that all risks are identified, evaluated, and addressed.

25

Compliance

PCI DSS

Mesh Payments is PCI DSS compliant. We recognize the need for the highest security available to protect our merchants and their customers.

In compliance with PCI Data Security Standards, we have met and surpassed all requirements set forth as a Level 1 Service Provider.

SOC 1 and SOC2

Mesh Paymentshas received a SOC 1 and SOC 2 Type II reports demonstrating that Mesh Payments has the appropriate controls in place to mitigate the risks related to security, availability, and confidentiality.

Mesh Paymentshas is committed to carrying out an annual SOC 1 and SOC 2 audit.

Customers or potential customers interested in attaining a copy of our SOC 1 and SOC 2 report can contact us.

26

Data Privacy

Mesh Payments ensures data protection and privacy by design, by combining enterprise-grade security features with comprehensive audits of our policies, applications, systems, and networks.

GDPR and CCPA

Our products comply with global data protection and privacy laws that apply to us and our customers, such as the GDPR and CCPA.

The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.

All customers are given the choice of Additional Notice and Opt-Out by Mesh Payments.

Have inquiries about data privacy? Contact us at privacy@meshpayments.com.

27

External Auditing

On an annual basis, Mesh is audited by a large external firm (KPMG) to ensure we continue to meet and exceed the requirements of SOC 1 and SOC 2  compliance standards. We ensure that all of our partners have current SOC 2 reports too.

28

Vendor Security Alliance

Mesh Payments supports the Vendor Security Alliance initiative to standardize the vendor due diligence process. To assist with organizations who have adopted this standard, we have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire.

29

Security Grades

CryptCheck: A+

ImmuniWeb: A

Qualys SSL Labs: A+

30

Avoiding scams

Recognize Phishing Attempts

Mesh payments representatives will never request your corporate domain password, card details, or verification codes. Scammers might pose as Mesh Payments employees or your finance team to extract sensitive data. Learn to spot and handle phishing in your business.

Responsible Disclosure

We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to report us any vulnerabilities they might discover.

You can report vulnerabilities by contacting security@meshpayments.com.

You can read our Vulnerability Disclosure Policy here.

Want to Learn More?