Mercatus infrastructure is hosted on enterprise-grade cloud providers with SOC 2 Type II certification. All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Our systems undergo regular penetration testing by independent security firms.
All API keys are hashed using bcrypt before storage. We support key rotation, IP allowlisting, and per-key rate limiting. API requests are authenticated via Bearer tokens and validated against HMAC signatures for webhook deliveries.
Payment processing is handled by PCI DSS Level 1 certified providers. Cryptocurrency transactions are verified through multi-signature wallets. User funds are segregated from operational accounts.
We maintain a 24/7 security operations center. Our incident response plan includes automated threat detection, immediate containment procedures, and transparent communication with affected users within 72 hours of discovery.
We operate a responsible disclosure program. Security researchers who identify vulnerabilities can report them to security@mercatus.com. Rewards range from $100 to $10,000 depending on severity.