Infrastructure
Security & Infrastructure
Enterprise-grade reliability, European data sovereignty, and transparent operational controls.
executive-summary
Executive Summary
Mercura is built on a foundation of enterprise-grade security, ensuring data sovereignty, operational resilience, and strict compliance controls.
We prioritize transparency and control, offering a platform that meets the rigorous demands of industrial enterprise IT environments.
compliance-standards
Compliance & Standards
Adhering to strict international data protection frameworks.
GDPR Compliant
Fully compliant with EU General Data Protection Regulation.
EU Hosted
All data resides strictly within European Union borders.
Certified Infrastructure
Our data centers are ISO/IEC 27001:2022 certified.
hosting-residency
Hosting & Data Residency
European Infrastructure
Strict EU Data Sovereignty
Our entire production environment is physically located within the European Union to ensure GDPR compliance and low latency.
Application & Database: Hosted with Hetzner Online GmbH in Germany (Nuremberg/Falkenstein) and Finland (Helsinki).
Object Storage: Static assets are stored in Amazon Web Services (AWS) data centers in Frankfurt (eu-central-1) and Ireland (eu-west-1).
architecture
High-Level Architecture
Secure data flow from user to storage.
1. Users
Access via HTTPS/TLS 1.3 encrypted connection.
2. Application Layer
Stateless application servers hosted on Hetzner (EU).
3. Data Persistence
Managed PostgreSQL database with automated failover.
4. Asset Storage
AWS S3 (EU) for scalable, durable object storage.
5. Backup & Archiving
Encrypted, off-site backups with strict retention policies.
technical security
Technical Security Controls
In-depth details on our security measures and protocols.
Encryption & Data Protection
Data in Transit: All data transmitted between the client and server is encrypted using TLS 1.2 or higher.
Data at Rest: Production databases and object storage buckets are encrypted using AES-256 standard encryption keys. Keys are managed via a secure key management service.
Backup & Disaster Recovery
3-2-1 Strategy: We maintain 3 copies of data on 2 different media, with 1 off-site.
RPO/RTO: Our target Recovery Point Objective (RPO) is 1 hour, and Recovery Time Objective (RTO) is 4 hours.
Testing: Disaster recovery procedures are tested annually to ensure rapid restoration capabilities.
Access Control & Authentication
Role-Based Access Control (RBAC): Strict RBAC is enforced for all internal access.
MFA: Multi-Factor Authentication is mandatory for all administrative access to production environments.
Principle of Least Privilege: Access rights are granted only to the extent necessary for staff to perform their duties.
Vulnerability Management
We conduct regular automated vulnerability scans of our infrastructure and dependencies. Critical patches are applied within 24 hours of release.
operational-commitments
Operational Commitments
Stability anchors for your business continuity.
High Availability & Transparency
We aim for 99.9% uptime with complete history on our public status page.
Subprocessor Transparency
Full list of subprocessors available upon request.
Incident Response
Automated monitoring and prioritized response for critical infrastructure.
security-responsibilities
Shared Responsibility Model
Mercura Responsibility
- Application security & code quality
- Infrastructure management (OS, Network)
- Database encryption & backups
- Physical security of data centers (via providers)
Customer Responsibility
- User account management & passwords
- Defining user roles & permissions
- Data accuracy and classification
- Device security (endpoint protection)
Enterprise Resources
For compliance teams and security auditors, we provide the following upon request:
- Data Center Certifications (ISO 27001)
- Data Processing Agreement (DPA)
- Infrastructure Diagram
Start Your Security Review
We invite your security team to review our documentation and ask strictly technical questions. Speed up your procurement process with our transparency.