Open Mercato security and compliance
Open source doesn't mean lax security - it means full transparency. Below: concrete security practices, GDPR compliance and hosting details our enterprise customers require.
Why security is our priority
We implement Open Mercato for manufacturers, distributors, B2B e-commerce and organisations with audit requirements. Every project is treated as a production-ready system - with encryption, access control, event auditing and backup procedures. Open source gives you something Salesforce can't: the ability to verify every single line of code that handles your data.
GDPR compliance
EU-hosted data
All data is stored on servers in the European Union (Poland, Germany, Netherlands). No transfers to the US or outside the EU without your explicit consent.
Right of access, rectification and erasure
Open Mercato exposes APIs to export, modify or permanently delete personal data of a specific user. We meet GDPR Art. 15-17 requirements.
Record of processing activities
We help prepare your processing register under GDPR Art. 30 - documenting data categories, legal basis, recipients and retention periods.
Data Processing Agreement (DPA)
We sign a DPA with every client whose system we host. Template available on request.
Pseudonymisation and minimisation
Personal data is masked by default in reports and logs. Technical logs do not contain card numbers, national IDs or passwords.
Breach notification procedure
We have a procedure to notify you within 24h of incident detection - in line with GDPR Art. 33 (72h limit to supervisory authority).
Encryption and access control
Encryption in transit
All browser-to-server traffic is encrypted with TLS 1.3. Let's Encrypt or commercial certificates, auto-renewed.
Encryption at rest
PostgreSQL database with disk-level encryption (LUKS) plus column-level encryption for sensitive data (document numbers, banking data).
Passwords and authentication
Passwords hashed with bcrypt (cost 12). Support for MFA (TOTP), SSO via OAuth2/SAML, and Active Directory.
Roles and permissions
Granular role model - access at module, record and field level. Auditable log of every permission change.
Infrastructure and operations
Backups
Daily automated backups, 30-day retention, off-site replication. Point-in-time recovery (PITR) to any moment in the last 7 days.
24/7 monitoring
We monitor availability, response times and application errors. Alerting on anomalies. Standard uptime SLA: 99.9% (Enterprise: 99.95%).
Patching
Security updates for OS and dependencies deployed within 14 days of CVE publication. Critical CVEs - within 48h.
Isolated environments
Each client has a separate environment (separated DB + app). No data sharing between clients.
Audit and transparency
Full source code access
You can review, fork or hand over every line of code to a third-party audit firm. No hidden logic, no telemetry without your consent.
Security audit on request
We help arrange external audits (pentest, code review). We provide architecture documentation, test data and engineering support.
Audit log
Every login, record change and admin action is recorded in an append-only audit log. Export to SIEM via API.
Public policies
Security policy, Privacy Policy and Terms of Service are publicly available and regularly updated.
Support for industry regulations
Open Mercato architecture lets you meet ISO 27001 requirements (environment separation, access control, audit log), JPK_VAT (XML export for Polish tax), KSeF (integration ready for structured invoices) and financial sector requirements (Polish KNF Recommendation D - access control, business continuity).
Reporting a security incident
If you find a vulnerability or suspect a breach - email security@openmercatostudio.pl immediately. We reply within 24h on business days. We follow responsible disclosure - security researchers are credited in our Hall of Fame.
Talk to us about your security requirements
30 minutes, no strings. We'll prepare answers for your security or IT team's questions.
Book a call