Mercure.rocks Security Policy

Maintaining a secure service is a continuous effort. This page describes the controls applied to Mercure Cloud and the practices followed by the open source Mercure Hub. To report a vulnerability, email contact+security@mercure.rocks.

Last updated: 2026-04-30.

Data residency

Mercure Cloud's primary processing happens in the European Union:

• Hubs, application servers, database and cache: Amsterdam, Netherlands (DigitalOcean).

• Encrypted nightly backups: Paris, France (AWS).

See Digital Sovereignty & Data Residency for the full breakdown.

Encryption

• In transit. All client and inter-service traffic is encrypted with TLS via Caddy, with automatic certificate management. HTTP/2 and HTTP/3 are enabled by default. Modern cipher suites only.

• At rest. DigitalOcean managed services and the AWS S3 backup bucket encrypt data at rest using provider-managed keys.

• End-to-end (optional). Mercure supports JWE-encrypted update payloads, so even the Hub operator never sees plaintext when used.

• Authorization. Topic-level access is controlled by JWTs that you mint with your own private key.

Network and infrastructure security

• Production runs on managed, audited European cloud infrastructure with modern network policy enforcement.

• Each tenant Hub is isolated. Hubs cannot reach each other or unrelated services.

• Workloads run as non-root with a restricted security context. Container images are rootless-compatible to fit hardened deployment standards.

• Operating systems and dependencies receive security patches as they become available.

• A strict minimum number of personnel have production access. All privileged access uses short-lived credentials with MFA.

Backup and disaster recovery

• The full production state is backed up nightly to encrypted EU storage (AWS, Paris).

• Backups retain for 31 days and are then automatically purged.

• Backups are encrypted at rest by the storage provider.

• We test restore procedures regularly.

Vulnerability management

• Automated dependency and vulnerability scanning runs on every commit on the open source Hub and on this SaaS infrastructure.

• Vulnerabilities are triaged on receipt and patched according to severity.

• Coordinated disclosure for vulnerabilities in the open source Hub: use GitHub Security Advisories.

• For SaaS-specific vulnerabilities, email contact+security@mercure.rocks; we acknowledge within 72 hours.

Personal-data breach notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we notify the CNIL within 72 hours per GDPR Article 33, and notify affected users without undue delay per Article 34.

Payments

Card data is handled by Stripe on PCI-DSS Level 1 infrastructure. We never store full card numbers on our servers; we only hold Stripe customer identifiers and invoice metadata.

Open source and auditability

The Mercure protocol is an open IETF-style specification. The Hub's reference implementation is public on GitHub and MIT-licensed. You can audit the code, fork it, run it on your own infrastructure, or run Mercure Enterprise on any infrastructure of your choice for full data control.

Subprocessors

See the Privacy Policy for the full list of subprocessors and the DPA for contractual safeguards.

Reporting

• Open source Hub vulnerabilities: GitHub Security Advisories.

• SaaS-specific issues or general security questions: contact+security@mercure.rocks.