How Mercell Raises the Bar on Procurement Security in 2025

How We Structure Security at Mercell

We organize our security program into three core, interlocking domains.

• The first is Information Security, which governs how we protect sensitive data. This includes everything from access control and encryption policies to risk assessments, asset tracking, and contingency planning. 
• The second is Trust & Compliance, a team focused on aligning Mercell with industry standards and frameworks. They turn regulatory requirements into operational practices—ensuring we don’t just meet expectations, but document and prove that we do. 
• The third domain is Technical Security, which is split into two areas. One focuses on enterprise IT, including endpoints, identity management, and internal systems. The other secures our application and infrastructure layer, ensuring our cloud posture, CI/CD pipelines, and backend systems meet modern security benchmarks.

These three areas work in sync. When a compliance rule changes, it becomes an engineering requirement. When an incident arises, response spans both the platform and the company. Security at Mercell is not siloed—it’s integrated.

 

Security by Design: How We Build

Security at Mercell begins long before a product is shipped. From the first idea on a roadmap to the moment code goes live, every phase of our software development lifecycle is engineered with security in mind.

Code changes undergo mandatory peer review and pass through multiple automated scans to detect vulnerabilities and enforce quality standards. Access is tightly controlled through least-privilege models, and responsibilities are clearly separated across build, test, and deployment to minimize risk.  By employing shift-left testing and security, our systems are designed to detect potential issues early in the development cycle, long before they reach production.

According to Charles, building security into the development process is one of the most critical ways Mercell ensures consistent protection at scale. “If a vulnerability makes it into production, we’ve already missed multiple chances to catch it. That’s why we’ve made early detection non-negotiable.”

The result is a platform that’s secure by default. Public buyers don’t need to configure additional safeguards or integrate third-party tools. Security is built in.

 

Hosting in the EU, Encryption Everywhere

All customer data on the Mercell platform is hosted in AWS data centers located within the European Union. This satisfies GDPR obligations and meets the expectations of many public sector buyers. But we recognize that localization isn’t enough in a globally connected cloud ecosystem.

That’s why we’ve implemented encryption as a foundational control. Data is encrypted in transit and at rest, ensuring that even if it were to be intercepted or extracted, it would be unreadable to unauthorized parties. These practices aren’t just internal standards, they’re required under the same certifications we hold and maintain.

We also manage subprocessors with transparency. When data crosses borders, we ensure customers are informed and that we follow documented processes for approval and notification.

 

Managing Risk: People, Process, and Technology 

Our security strategy is risk-based. We start by mapping our assets: people, processes and technology, and assessing their criticality to operations.

For example, we evaluate the risk of key-person dependencies and plan for succession. We differentiate between business-critical platforms and peripheral tools to ensure that our continuity planning focuses where it matters most. Our AWS-based product infrastructure is configured for resilience, with failover and recovery strategies designed to meet agreed service levels.

This understanding feeds directly into our day-to-day planning and governance. When you know what’s critical, you know what to protect.

 

Continuity as a Core Principle

Security isn’t just about stopping threats. It’s about preparing for disruptions. We maintain formal Business Continuity and Disaster Recovery plans, both of which are tested at least annually. These exercises validate our ability to restore services quickly and maintain operational readiness.

For many customers, our contracts include recovery time objectives as short as four hours. These goals guide our technical planning and resourcing. When something goes wrong, we have both the blueprint and the practice to respond effectively.

Proving It: Certifications That Matter

Mercell’s security program has been independently audited across several leading standards. These include ISO 27001 for information security, ISO 27701 for privacy, SOC 2, the German BSI C5 standard, through the standard of ISAE 3000. Each framework confirms that our controls exist and are functioning as intended.

This certification suite positions us to support complex, regulated customers across Europe, including those operating in critical infrastructure sectors. It also reduces the friction of due diligence. Instead of requiring buyers to take our word, we offer standardized, auditable proof.

All certification documents and supporting materials are available under NDA through our Trust Portal.

Transparency, Delivered

Our Trust Portal exists for a simple reason: buyers need answers, and they shouldn’t have to chase them. Under NDA, customers can access all of our core security policies, certificates, and audit documentation in one place.

This reduces procurement friction, shortens review cycles, and supports a more confident decision-making process.

Growth and Forward looking

Security at Mercell is constantly evolving. Under Charles Wilson’s leadership, the security team has grown significantly. Not just in size, but in its strategic reach. The integration of IT under the security function has strengthened oversight across the business, enabling tighter governance of endpoints, infrastructure, and identity and access management.

In the past year alone, Mercell has introduced modern baseline protections such as mobile device management and endpoint detection and response. But these efforts are part of a broader vision, not just a reaction to external pressures. As Charles noted, staying ahead of regulatory changes and emerging threats requires planning, investment, and continuous adaptation.

Looking ahead, we’re building centralized threat detection into our environment, allowing us to ingest and correlate logs across enterprise and platform systems by implementing SIEM. We’re preparing to automate more of our response capabilities by using orchestration tools that can contain threats faster and with less manual intervention.

These are common practices in leading technology companies. We’re applying them at Mercell to meet the expectations of tomorrow’s buyers.

Serving Different Buyers, Meeting All Expectations

All customers benefit from the same security posture, but larger or more regulated organizations may require more detailed documentation or even formal audits. We’re prepared to support those processes. Whether it’s a ministry reviewing security controls line-by-line or a municipality needing basic assurance, we provide the right level of visibility.

Suppliers using Mercell via self-service don’t need to worry about configuration or setup. The platform is already secured according to industry best practices.

For sectors like law enforcement, defense, or national infrastructure, we recognize the unique sensitivity of procurement data. Our program is built with these realities in mind.

 

Final Thought

At Mercell, we build security in from the start. We validate it continuously. And we raise the bar, year after year, because trust isn’t given. It’s earned.

If you’d like to learn more about how we protect your data, your process, and your mission visit our Trust Portal.