Shopping cart
Your cart empty!
At Mech, the security of your data is a core priority. This Security Policy outlines the measures we take to protect your information and maintain the integrity, confidentiality, and availability of the Mech platform.
For any security-related questions or to report a vulnerability, please contact us at legal@usemech.com.
1. Infrastructure and Hosting
1.1 Cloud Hosting
Mech is hosted entirely on Amazon Web Services (AWS), one of the world’s most trusted cloud infrastructure providers. All data is stored and processed in the US East region. AWS maintains the following certifications and accreditations:
- ISO 27001
- SOC 1 / SOC 2
- PCI DSS Level 1
For more information on AWS security practices, visit aws.amazon.com/security.
1.2 Virtual Private Cloud
All Mech infrastructure runs within a dedicated Virtual Private Cloud (VPC) with network access control lists (ACLs) that restrict unauthorized access to our internal network. Only authorized services and personnel can communicate with production systems.
1.3 Availability and Redundancy
Mech infrastructure is distributed across multiple AWS availability zones to ensure resilience and minimize the risk of downtime. In the event of a data center failure, traffic is automatically routed to healthy availability zones.
Enterprise Plan customers are covered by a 99.9% uptime SLA. Please refer to your Enterprise agreement for full details.
1.4 Data Backups
Customer data is backed up regularly. Backups are stored securely within AWS and are tested periodically to ensure they can be successfully restored in the event of a disaster.
2. Data Security
2.1 Encryption in Transit
All data transmitted between your browser and the Mech platform is encrypted using TLS 1.2 or higher. Our API and application endpoints are HTTPS-only. We do not support unencrypted HTTP connections.
2.2 Encryption at Rest
All Customer Data stored within Mech’s infrastructure is encrypted at rest using AES-256 encryption, an industry-standard algorithm.
2.3 Data Isolation
Mech is a multi-tenant platform. Each merchant account is assigned a unique Merchant ID (MID) and isolated subdomain. Strict data isolation controls ensure that one merchant’s data is never accessible to another merchant.
2.4 Data Retention
Upon cancellation or termination of a Mech account, Customer Data is retained for 30 days before being permanently deleted. Merchants are responsible for exporting any data they wish to retain prior to account closure.
3. Application Security
3.1 Authentication
Mech supports the following authentication methods for merchant accounts:
- Email and password with strong password requirements enforced
- Google OAuth — merchants can sign in securely using their existing Google account (available on all plans)
- Single Sign-On (SSO) via SAML — available on the Enterprise plan
- Two-Factor Authentication (2FA) — available on the Enterprise plan
3.2 Role-Based Access Control
Mech supports role-based permissions within merchant accounts. Administrators can assign roles to team members to control access to settings, billing, customer data, and agent functions. Access to sensitive platform functions is restricted to authorized users only.
3.3 Session Management
User sessions are managed securely with time-based expiration. Sessions are invalidated upon logout and are protected against common web vulnerabilities including session hijacking and cross-site request forgery (CSRF).
3.4 Vulnerability Management
Mech uses a combination of automated and manual security practices to identify and address vulnerabilities:
- Continuous scanning — automated tools monitor our infrastructure and application code for known vulnerabilities
- Annual penetration testing — we engage qualified third-party security experts each year to perform detailed penetration tests on the Mech platform and infrastructure
- Dependency monitoring — third-party libraries and dependencies are regularly reviewed and updated to address known security issues
3.5 Error Monitoring
Mech uses Sentry for real-time error monitoring and alerting. This allows our engineering team to detect and respond to application issues quickly while ensuring that sensitive data is not exposed in error logs.
4. Operational Security
4.1 Access Controls
Access to production systems and Customer Data is granted on a least-privilege basis — employees are only granted access to the systems and data necessary to perform their job functions. All access is reviewed regularly and revoked promptly upon role changes or departure.
4.2 Internal Authentication
Mech operates a zero-trust internal network model. There are no additional privileges granted from being on Mech’s internal network. All internal access to cloud services and production systems requires strong authentication.
4.3 Employee Vetting
All Mech employees and contractors with access to customer data undergo background checks in accordance with applicable local laws prior to being granted access to production systems.
4.4 Security Training
All Mech employees complete security awareness training on an annual basis covering topics such as phishing, data handling, access controls, and incident response procedures.
4.5 Confidentiality
All Mech employees and contractors are required to sign confidentiality agreements as a condition of employment or engagement. These agreements remain in effect after the end of their engagement with Mech.
5. Incident Response
Mech maintains a formal incident response process for handling security events. In the event of a confirmed security incident affecting Customer Data:
- Our team will investigate and contain the incident as quickly as possible
- Affected merchants will be notified in a timely manner in accordance with applicable law
- A post-incident review will be conducted to identify root causes and implement improvements
To report a suspected security vulnerability or incident, please contact us immediately at legal@usemech.com.
6. Third-Party Subprocessors
Mech works with a limited number of trusted third-party service providers who may process Customer Data as part of delivering the Service. All subprocessors are evaluated for security practices and are contractually required to handle data in accordance with applicable privacy and security requirements.
| Provider | Purpose |
|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and data storage |
| Shopify | Billing and app platform integration |
| Stripe | Payment processing |
| Postmark | Transactional email delivery |
| Sentry | Error monitoring and alerting |
| Google Analytics | Website analytics |
| Slack | Internal team communications |
| OpenAI / Anthropic / Google | Optional AI features (merchant-supplied API keys only) |
7. Customer Responsibilities
Security is a shared responsibility. We encourage all Mech merchants to follow these best practices to keep their accounts secure:
- Use a strong, unique password for your Mech account
- Enable Google OAuth or SSO (Enterprise) for more secure authentication
- Enable 2FA if you are on the Enterprise plan
- Regularly review and audit your team members and their permission levels
- Remove access for team members who no longer require it
- Notify us immediately at legal@usemech.com if you suspect any unauthorized access to your account
- Ensure your own team members are trained on basic security practices
8. Contact
If you have questions about this Security Policy or wish to report a security concern, please contact us at:
Mech Software LLC
Orlando, Florida, United States
legal@usemech.com