Skip to main content

Trust

Trust

This is a young product. We will not claim certifications we do not hold. Here is precisely where we stand today and where we are headed.

Current posture

Where we stand today

All data is encrypted in transit and at rest. Access is role-scoped, with strict isolation between organisations. Sensitive operations including exports, erasure, and team changes require elevated permissions and are written to an audit log. Guest records can be marked confidential so their existence is never revealed to unauthorised team members. We have built-in tools for subject access requests and right to erasure. Data is hosted in the UK and EU, with daily backups.

Roadmap

In progress

  • SOC 2 Type II, target completion Q4 2026
  • ISO 27001, planned 2027
  • SSO (SAML and OIDC), available on Atlas tier, Q3 2026
  • Data residency options for EU, UK, and US, Q3 2026

Sub-processors

Who touches your data

We maintain a full sub-processor list covering hosting, database, email delivery, and payment processing. It is available to clients on request as part of our Data Processing Agreement. Write to security@mecene.art to receive a copy.

Contact

Security contact

For security questions or to report a vulnerability:

security@mecene.art

PGP key available on request.

Responsible disclosure

90 days

We ask researchers to give us 90 days from initial report to remediate issues before public disclosure. We will credit the reporter on our security page unless they prefer to remain anonymous. We do not pursue legal action against researchers acting in good faith.