Mesh Payments received a SOC 1 and SOC 2 Type II reports demonstrating that Mesh Payments has the appropriate controls in place to mitigate the risks related to security, availability, and confidentiality.
Mesh Payments is committed to carrying out an annual SOC 1 and SOC 2 audit.
Customers or potential customers interested in attaining a copy of our SOC 1 and SOC 2 report can contact us.
Mesh Payments ensures data protection and privacy by design, by combining enterprise-grade security features with comprehensive audits of our policies, applications, systems, and networks.
Our products comply with global data protection and privacy laws that apply to us and our customers, such as the GDPR and CCPA.
The California Consumer Privacy Act (CCPA) gives consumers more control over the personal information that businesses collect about them.
All customers are given the choice of Additional Notice and Opt-Out by Mesh Payments.
Have inquiries about data privacy? Contact us at privacy@meshpayments.com.
All of our services run in the cloud. We don’t host or run our own network devices, application load balancers, or physical servers.
Mesh Payments platform and services are hosted on Amazon Web Services (AWS) in North America.
Our infrastructure is protected from DDoS attacks via AWS Cloudfront and Shield.
Mesh Payments uses an industry leading Cloud WAF provider.
AWS provide strong security measures to protect our infrastructure and are compliant with most certifications.
Mesh Payments does not maintain physical servers. Access to Mesh Payments’s offices is restricted to employees and Mesh Payments does maintain physical access controls and procedures covering visitor and third party access.
Physical security of our data center is managed by AWS. Please see this page for more details.
We automatically end browser sessions after a period of idle activity.
Mesh Payments platfotm is passwordless.
Access to our platform is only allowed through a trusted Single Sign-On provider.
Mesh Payments supports any Identity Providers that are using the open SAML standard (e.g., Microsoft Entra, Okta, Google Workspace, Azure ID, Auth0).
The SSO mechanism also supports biometric authentication.
Mesh Payments leverages automated systems to proactively prevent account takeover attempts and other malicious requests. We require all accounts to opt into multi factor authentication and immediately verify suspicious activity with the business owner.
We require multi-factor authentication (MFA) for all company administrators with access to sensitive company information and controls.
Two-factor authentication is required for all Mesh Payments users and can be done using SMS, WhatsApp (in specific countries only), or via an SSO provider. On mobile devices, biometric authentication is supported.
Customer data is encrypted at-rest using AES-256, and strong RSA key (4096 bits).
All public endpoints use TLS 1.2 or higher for encryption in transit.
Mesh Payments forces automatic signouts after inactivity to prevent unsanctioned access or use of the user’s account.
Mesh uses tokenization to protect your card and CVV numbers.
We are able to leverage AWS's disaster recovery capabilities to restore backup snapshots in different AWS region as needed.
Backups are taken daily through AWS and are tested on a regular basis.
The Company has responsibilities over the financial data it processes for customers.
Data will be retained in accordance with applicable regulations and compliance requirements, and according to data type (financial data, personal data, customer security event logs, system logs, etc). Additional details are available in our privacy policy at www.meshpayments.com/privacy.
Mesh payments follows an established procedure for responding appropriately to potential incidents. All suspected incidents are managed by our Security team with mature logging, monitoring, and alerting capabilities.
Mesh Payments maintains network diagrams, however, these are not shared externally.
As standard best practice, we adhere to the notion of least privileges, whereby only a small subset of personnel have the means to view your data, and only when needed to support you.
Our authorized personnel sign a Non-Disclosure and Confidentiality Agreement to protect our customers sensitive information.
Naturally, all data access is logged and monitored for audit purposes too.
Authorized personnel are mandated to utilize a Zero-Trust tool (VPN) and MFA to access Production environment.
Mesh Payment has standards in place to ensure appropriate data access and usage. Our controls address the provisioning, deprovisioning and auditing of role-based access to data according to least privilege as well as employee background checks, logging, alerting, monitoring, and endpoint security mechanisms.
We use an industry-leading cloud-native monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
We use technologies to monitor exceptions, logs and detect anomalies in our applications.
We collect and store logs to provide an audit trail of our applications activity.
We perform static & dynamic code analysis as well as Software Composition Analysis (SCA) of open-source libraries. Additionally, we have deployed Runtime application security and observability tool.
Infrastructure secrets are securely stored and managed using AWS KMS.
Mesh Payments continuously undergoes penetration testing to check for any vulnerabilities in our infrastructure. The tests are augmented by manual "business logic assessment" reviews on a periodic cadence.
EDR software is installed on the company-owned workstations (laptops) and is configured to detect and prevent malware.
Additionally, software patches are applied on continuous basis by the company MDM solution.
Mesh Payments Security department provides security and data privacy awareness training to all new employees upon hire, and to all Company personnel at least once per calendar year (through dedicated Security Awareness platform) to help employees understand their obligations and responsibilities to comply with the Company’s security and confidentiality policies and procedures, including the identification and reporting of incidents.
Employees with access to company data undergo background checks (where applicable) and accept information security policies during the onboarding process.
Employees are required to use passkey, internal SSO, and MFA to enhance the security of their accounts, with passwords only used as a backup authentication method.
All other credentials are required to be stored using a secure, company-controlled password manager.
The information security policies for Mesh Payments are mantained and annually updated by the CISO.
Mesh Payments' defined set of policies for information security includes, among others, Information Security Policy, Acceptable Use Policy, BCP, Backup Policy, Data Clasifficaton Policy, Code of Conduct, DRP, Kubernetes Security Policy, Encryption Policy, Software Development Life Cycle Policy, Vendor Management Policy, and others.
Mesh Payments undergoes a yearly review by a well-known external security firm to verify that all risks are identified, evaluated, and addressed.
Mesh Payments is PCI DSS compliant. We recognize the need for the highest security available to protect our merchants and their customers.
In compliance with PCI Data Security Standards, we have met and surpassed all requirements set forth as a Level 1 Service Provider.
Mesh Paymentshas received a SOC 1 and SOC 2 Type II reports demonstrating that Mesh Payments has the appropriate controls in place to mitigate the risks related to security, availability, and confidentiality.
Mesh Paymentshas is committed to carrying out an annual SOC 1 and SOC 2 audit.
On an annual basis, Mesh is audited by a large external firm (KPMG) to ensure we continue to meet and exceed the requirements of SOC 1 and SOC 2 compliance standards. We ensure that all of our partners have current SOC 2 reports too.
Mesh Payments supports the Vendor Security Alliance initiative to standardize the vendor due diligence process. To assist with organizations who have adopted this standard, we have completed the Vendor Security Alliance (VSA) Core self-assessment questionnaire.
CryptCheck: A+
ImmuniWeb: A
Qualys SSL Labs: A+
Mesh payments representatives will never request your corporate domain password, card details, or verification codes. Scammers might pose as Mesh Payments employees or your finance team to extract sensitive data. Learn to spot and handle phishing in your business.
We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to report us any vulnerabilities they might discover.
You can report vulnerabilities by contacting security@meshpayments.com.
You can read our Vulnerability Disclosure Policy here.
By using this website you agree to our cookie policy.
