Security & Trust

Enterprise-Grade Security.
Paradigm-Grade Trust.

Your intelligence is safe with us. We have thought very hard about security and written it down.

SOC 2 Type II
GDPR Compliant
ISO 27001
PARADIGM-Ready™
HIPAA Aware
Compliance
Certifications & Standards

Mercwear maintains the highest levels of compliance across all major frameworks, and one framework we made ourselves.

SOC 2
TYPE II
SOC 2 Type II
Audited annually by a third party who found everything largely in order.
Certified & Current
GDPR
GDPR Compliant
Your European cognitive data is handled in strict accordance with regulations we have read most of.
Compliant
ISO
27001
ISO 27001
Information security management, certified. The certificate is framed and hanging in our conference room.
Certified
PARADIGM
READY™
PARADIGM-Ready™
Proprietary Mercwear certification. We designed the standard. We passed it. We are very proud.
Self-Certified
FedRAMP
ADJ™
FedRAMP-Adjacent™
We are working toward FedRAMP authorization. "Adjacent" means we are aware of the process and have begun several conversations about beginning the process.
In Progress (Conversations)
HIPAA
HIPAA Aware
For healthcare customers, we are HIPAA Aware. This means we know what HIPAA is and take it seriously in all meetings where it is mentioned.
Aware & Attentive
How We Do It
Our Security Approach

Security is not a feature at Mercwear. It is a deeply-held abstract belief that we have operationalized into concrete processes.

🔐
Zero Trust Architecture
We don't trust anyone. Not our employees, not our systems, not the network, not the concept of trust itself. Every request is verified. Every paradigm is authenticated. It's lonely but secure.
🔒
End-to-End Encryption
Your data is encrypted in transit, at rest, and in what our security team calls "conceptual form" — the state data occupies when it's being thought about but not yet written down.
⚔️
Penetration Testing
We employ certified ethical hackers to attempt to break into our systems quarterly. They have not succeeded. We have asked them to try harder. They said they are.
Data Practices
Your Data, Mostly

We take data governance seriously. Here is a clear, straightforward explanation of your data rights, written by our legal team.

📋
Your Data Stays Yours (Mostly)

Your data is used exclusively to provide and improve the services you've contracted. It is also used to improve our models, which improves the service, which is the same thing. It is additionally used for certain analytical purposes described in Section 7.4.2 of the privacy policy, which you have read and agreed to.


Data shared with Mercwear will not be sold to third parties, except as described in Section 12.1 (Approved Partners), Section 12.2 (Analytics Vendors), Section 12.4 (Service Improvement Consortia), and Section 12.7 (Situations We Have Not Yet Anticipated). We feel this is a reasonable arrangement.

🌍
Data Residency Options
Choose where your cognitive data lives. All regions are encrypted, compliant, and at peace with themselves.
United States
US-EAST-1 & US-WEST-2. Stable, reliable, known quantity.
European Union
EU-WEST-1. GDPR-compliant. Data does not leave the continent.
APAC
AP-SOUTHEAST-1. Low latency for Pacific region customers.
Distributed Cognitive Substrate
Our default. We don't know exactly where it is, but it's encrypted.
Responsible Disclosure
Vulnerability Reporting

We take security disclosures seriously. We have a process. It is written down below.

Found something? Tell us.

If you discover a security vulnerability in Mercwear's systems, please report it to security@mercwear.com.


We will acknowledge receipt within 48 hours and resolve it within a timeframe we will determine after understanding the severity, which may take some time. We appreciate your patience during this assessment of how much patience to ask for.


We do not offer a bug bounty program at this time. We offer recognition in our quarterly security newsletter, which has 14 subscribers. We consider this meaningful.

📨
Step 1: Email security@mercwear.com with a clear description of the issue, steps to reproduce, and your preferred alias for the newsletter.
⏱️
Step 2: We acknowledge within 48 hours. We may also acknowledge again at 72 hours if we forgot the first time.
🔍
Step 3: We assess severity. This could take a variable amount of time. We will keep you posted when we remember.
🏆
Step 4: Issue is resolved. You receive acknowledgment in the security newsletter. Your name (or alias) appears under "Community Heroes."
Trust Center
Security Documentation

All documents are available upon request. Some documents are available upon request after signing an NDA about the existence of the documents.

Mercwear Trust Center
Complete security documentation for enterprise procurement, legal review, and peace of mind.
Request Access
📄
Security Whitepaper
⚔️
Penetration Test Summary
📝
Data Processing Agreement
🔗
Sub-processor List
📊
Annual Transparency Report

Security questions?
Talk to our team.

Our security experts are standing by to answer questions, sign NDAs, and reassure you in whatever format you prefer.

Book a Demo