SOC 2 Type II Audit In Progress

Security, compliance, and resilience—built into every payment

Mesta's hybrid payment network merges real-time rails and blockchain with bank-grade controls. Our ongoing SOC 2 Type II audit preparation, continuous monitoring via Vanta, and dedicated security team keep us accountable to the highest bar.

Open Trust Portal security@mesta.xyz Privacy Policy

Audit In Progress

SOC 2TYPE II

Audit: July 2025

Audit Coverage

Security

Availability

Confidentiality

Compliance & Certifications

Meeting the highest standards for security and data protection

SOC 2 Type II

In Progress

Audit begins July 2025

GDPR

In Progress

EU Data Protection Regulation

ISO 27001

In Progress

Information Security Management System

Compliance Dashboard

Real-time visibility into our security posture and audit readiness

Security Controls

82 passing, 0 failing

97.1%

Evidence Readiness

136 of 140 items ready

Frameworks Tracked

SOC 2, ISO 27001, GDPR

4.0/5

Average Maturity

CMMI maturity level

Compliance Overview

Controls Passing100.0%

Evidence Ready for Audit97.1%

Controls by Family

Internal

Infrastructure

Organizational

Data & Privacy

Product

Controls by Risk Level

critical Risk12

high Risk5

medium Risk17

low Risk48

Recent Activity

All infrastructure controls passed automated testing

2 hours ago

Evidence collected for SOC 2 audit preparation

5 hours ago

Data Protection Policy updated to v3.0.0

1 day ago

Quarterly vulnerability scan completed

3 days ago

Annual penetration test scheduled for next month

5 days ago

View Evidence Catalog140 items View Audit StatusJuly 2025

Security Features

Enterprise-grade security protecting every transaction

Zero Trust Architecture

Every access request authenticated and authorized with continuous verification.

End-to-End Encryption

AES-256 encryption for data at rest, TLS 1.3 for data in transit.

Real-Time Fraud Detection

ML-powered anomaly detection monitors every transaction in real-time.

Multi-Factor Authentication

Hardware security keys and biometric authentication enforced across systems.

Continuous Monitoring

24/7 SIEM monitoring with automated alerting and incident response.

Automated Compliance

Continuous control monitoring and evidence collection via Vanta.

Infrastructure & Architecture

Built on AWS with enterprise-grade redundancy and security

Cloud Infrastructure

AWS US-East-1 (primary) and US-West-2 (failover)
Multi-AZ deployment with auto-scaling
SOC 2, ISO 27001 certified data centers

Network Security

Private VPC with network segmentation
Web Application Firewall (WAF) with DDoS protection
VPN-only production access with IP allowlisting

Data Resilience

Automated daily backups with point-in-time recovery
Cross-region replication for disaster recovery
99.99% uptime SLA with redundant infrastructure

Access Controls

Role-based access control (RBAC) with least privilege
Just-in-time access provisioning
All privileged actions logged and monitored

Resources

Access audit reports, policies, and documentation

View all resources →

SOC 2 Type II Report

Complete SOC 2 Type II audit report covering Security, Availability, and Confidentiality principles.

Access document →

Engagement Letter

Independent auditor engagement letter for the current SOC 2 Type II examination period.

Access document →

Security Whitepaper

Technical documentation of our security architecture, controls, and operational procedures.

Access document →

Data Processing Agreement

Standard DPA template covering GDPR and data protection requirements.

Access document →

Security Controls

Comprehensive controls across all security domains

View all controls →

Infrastructure Security

Controls governing platform infrastructure hardening and access.

19 / 19 passing

Encryption key access restricted

Passing

infrastructure

Privileged access to encryption keys restricted to authorized users with documented business need.

Infrastructure Team•continuous

Remote access encrypted enforced

Passing

infrastructure

Production systems accessible only via approved encrypted VPN connections with MFA.

Infrastructure Team•continuous

Unique account authentication enforced

Passing

infrastructure

All system authentication requires unique username/password or authorized SSH keys.

Infrastructure Team•continuous

Organizational Security

Company-wide guardrails for workforce, devices, and vendors.

14 / 14 passing

Anti-malware technology utilized

Passing

organizational

Endpoint protection deployed and monitored across all company devices.

Security Team•continuous

Code of Conduct acknowledged

Passing

organizational

All employees acknowledge Code of Conduct annually with training.

Security Team•annual

Password policy enforced

Passing

organizational

Minimum 12 characters with MFA via hardware security keys required.

Security Team•continuous

Product Security

Secure SDLC, testing, and continuous assurance of application layers.

5 / 5 passing

Data encryption utilized

Passing

product

All customer data encrypted at rest and in transit with industry-standard algorithms.

Engineering Team•continuous

Control self-assessments conducted

Passing

product

Security control reviews performed before major feature releases.

Engineering Team•continuous

Independent penetration testing performed

Passing

product

Annual penetration tests by third-party security firms with remediation tracking.

Engineering Team•annual

Internal Security Procedures

Governance, risk management, and vendor oversight procedures.

35 / 35 passing

Board meetings conducted

Passing

internal

Quarterly board meetings include security and risk agenda items.

Compliance Team•quarterly

Risk assessments performed

Passing

internal

Annual risk assessments with quarterly reviews and mitigation tracking.

Compliance Team•quarterly

Vendor management program established

Passing

internal

All critical vendors assessed for security posture before engagement.

Compliance Team•continuous

Data and Privacy

Policies that protect customer data across its lifecycle.

9 / 9 passing

Data retention procedures established

Passing

data privacy

Documented data retention periods aligned with legal and business requirements.

Data Protection Team•continuous

Customer data deleted upon termination

Passing

data privacy

Automated deletion of customer data within 30 days of contract end.

Data Protection Team•continuous

Data classification policy established

Passing

data privacy

Data classified as Public, Internal, Confidential, or Restricted.

Data Protection Team•continuous

Payment Security

Payment network controls including AML/KYC, transaction monitoring, and custody procedures.

1 / 1 passing

Order Lifecycle Assurance

Every ledger entry is line-item audited and tied to a control owner, evidence source, and alert path. Each order in our system follows these secured stages.

Funds received

Token or fiat funds enter monitored custody accounts with AML screening, deposit reconciliation, and chain monitoring.

Deposit reconciliationChain monitoringAML screeningTransaction validation

Conversion and Liquidity

Liquidity providers execute currency conversions with deterministic ledger entries while segregation of funds and approval policies maintain accuracy.

Segregated settlement accountsPolicy-based approvalsDeterministic ledger entriesConversion reconciliation

Beneficiary payout

Payouts are dispatched via banking or RTP partners with dual authorization, payment integrity checks, and delivery receipts.

Dual authorizationPayment integrity checksFunds-availability monitoringDelivery confirmation

Post-settlement monitoring

Anomaly detection, automated reconciliation, SIEM correlation, and customer notifications finalize the order lifecycle.

Automated reconciliationSIEM correlation rulesCustomer notificationsAudit trail generation

Security Incident Response

Our incident response team operates 24/7 to detect, respond to, and mitigate security incidents.

Response SLA

Critical incidents: 15 minutes response time | High priority: 1 hour response time

Security Contact

security@mesta.xyz

Automated Detection

SIEM, IDS/IPS, and EDR tools provide automated threat detection.

24/7 Monitoring

Security Operations Center monitors systems around the clock.

Defined Playbooks

Incident response playbooks for common scenarios tested quarterly.

Customer Notification

Affected customers notified within 72 hours per GDPR requirements.

Vulnerability Disclosure Program

We welcome security researchers to responsibly disclose vulnerabilities.

Report Vulnerabilities To

security@mesta.xyz

In Scope

*.mesta.xyz
API endpoints
Mobile applications

Out of Scope

Social engineering
Physical attacks
Third-party services

Need additional assurances?

Request the full SOC 2 Type II report, SIG questionnaire, bridge letter, or quarterly control updates. Our security team responds within one business day.

Access Trust Portal Contact Security Team