Compliance Framework
SOC 2 Type II
SOC 2 Type II certification demonstrates that Mesta has implemented and maintained effective controls over security, availability, and confidentiality of customer data over a sustained period. The audit evaluates Trust Services Criteria (TSC) across five categories.
Audit In Progress
Coverage
100%
18 / 18 requirements
Controls Mapped
82
Security controls
Policies
15
Supporting policies
Auditor
Prescient Assurance
Scope
All systems, processes, and controls related to the Mesta payment platform, including infrastructure, application security, data protection, and organizational controls.
Framework Requirements
Common Criteria
CC1.1satisfied
Control Environment - COSO Principle 1
The entity demonstrates a commitment to integrity and ethical values.
CC1.2satisfied
Control Environment - COSO Principle 2
The board of directors demonstrates independence and oversight.
CC1.3satisfied
Control Environment - COSO Principle 3
Management establishes structures, reporting lines, and authorities.
CC1.4satisfied
Control Environment - COSO Principle 4
The entity demonstrates a commitment to competence.
CC1.5satisfied
Control Environment - COSO Principle 5
The entity holds individuals accountable for internal control responsibilities.
CC6.1satisfied
Logical and Physical Access Controls
The entity implements logical access security software, infrastructure, and architectures over protected information assets.
CC6.2satisfied
Access Control - New Users
Prior to issuing system credentials and granting system access, the entity registers and authorizes new users.
CC6.3satisfied
Access Control - Modifications and Removals
The entity authorizes, modifies, or removes access to data, software, functions, and services based on roles.
CC6.6satisfied
Logical and Physical Access - Encryption
The entity implements encryption to protect data at rest and in transit.
CC6.7satisfied
Transmission of Data
The entity restricts transmission, movement, and removal of information to authorized users.
CC7.1satisfied
Detection of Security Events
The entity identifies and implements detection measures to identify anomalies.
CC7.2satisfied
Security Incident Response
The entity monitors system components and the operation of those components.
CC7.3satisfied
Security Incident Evaluation and Response
The entity evaluates security events to determine whether they could impact the system.
CC8.1satisfied
Change Management
The entity authorizes, designs, develops, configures, documents, tests, approves, and implements changes.
Availability
A1.1satisfied
Availability Performance
The entity maintains, monitors, and evaluates current processing capacity.
A1.2satisfied
System Recovery and Business Continuity
The entity authorizes, designs, develops, implements, operates, approves, maintains, and monitors environmental protections.
Confidentiality
C1.1satisfied
Confidentiality Controls
The entity identifies and maintains confidential information.
C1.2satisfied
Confidential Information Disposal
The entity disposes of confidential information to meet the entity objectives.
Mapped Controls (82)
Encryption key access restricted
Privileged access to encryption keys restricted to authorized users with documented business need....
passing
Remote access encrypted enforced
Production systems accessible only via approved encrypted VPN connections with MFA....
passing
Unique account authentication enforced
All system authentication requires unique username/password or authorized SSH keys....
passing
Production application access restricted
System access restricted to authorized personnel with role-based permissions....
passing
Access control procedures established
Documented procedures for adding, modifying, and removing user access....
passing
Production data access monitored
All production data access logged and monitored for anomalies....
passing
Privileged access managed
Privileged accounts require separate credentials and enhanced authentication....
passing
Network segmentation implemented
Production networks segmented from corporate and development environments....
passing
Intrusion detection deployed
IDS/IPS systems monitor network traffic for malicious activity....
passing
Vulnerability scanning conducted
Automated vulnerability scans performed weekly with remediation tracking....
passing
+ 72 more controls
Audit Timeline
- Audit Start
- 7/1/2025
- Audit End
- 9/30/2025
- Auditor Contact
- audit@prescientassurance.com
Supporting Policies
Information Security Policy
v2.1.0 • risk
Access Control Policy
v1.8.0 • access
Data Protection and Privacy Policy
v3.0.0 • data
Incident Response Policy
v1.5.0 • incident
Business Continuity and Disaster Recovery Policy
v1.3.0 • bcdr
Change Management Policy
v2.0.0 • operations
Vendor and Third-Party Risk Management Policy
v1.6.0 • vendor
Acceptable Use Policy
v1.4.0 • hr
Human Resources Security Policy
v2.2.0 • hr
Asset Management Policy
v1.7.0 • operations
Cryptography and Encryption Policy
v1.9.0 • cryptography
Vulnerability Management Policy
v1.5.0 • operations
Secure Software Development Policy
v2.3.0 • development
Physical Security Policy
v1.2.0 • physical
Monitoring and Logging Policy
v1.6.0 • operations
Framework Details
- Framework ID
- soc2
- Status
- in progress
- Total Requirements
- 18
- Satisfied
- 18
Coverage Progress
Overall Coverage100%