Security isn't a feature — it's the product. Every document, signature, and audit trail is engineered to satisfy EU compliance auditors and enterprise procurement.
Sign documents with the highest legal-effect signature class under EU Regulation 910/2014, equivalent to a handwritten signature across all 27 member states. Issued via accredited Qualified Trust Service Providers.
Controls mapped to the AICPA Trust Services Criteria for security, availability, and confidentiality. Independent audit roadmap underway; control evidence is available on request under NDA.
Data residency inside the EU, processor agreements (Art. 28 DPA) available, granular DSAR fulfillment, and a 12-month log retention default. The right to erasure is implemented end-to-end.
Documents are encrypted with authenticated AES-256-GCM before they hit object storage. Connections use TLS 1.3 with HSTS, perfect forward secrecy, and a strict modern cipher suite.
Each organization is partitioned at the row level with cryptographic separation of keys. Cross-tenant queries are impossible by construction — enforced at the database, API, and key-management layers.
Every action — uploads, signatures, downloads, role changes — is logged with tamper-evident hashes and exposed via an exportable audit trail for regulators and internal compliance.
Encryption keys are envelope-wrapped, rotated automatically, and never co-located with the data they protect. Customer-managed keys (BYOK) are available on Enterprise plans.
Role-based access control with least-privilege defaults, mandatory two-factor authentication for admins, SSO/SAML on Enterprise, and full session revocation from a single dashboard.
We align Mercury Evidentia to the frameworks our regulated customers are audited against.