Compliance & security

MerasPay operates under a Payment Services Provider mandate from the Banque Centrale de Djibouti and partners with licensed banks for fund-holding.

Regulatory

All data encrypted at rest (AES-256-GCM) under per-merchant data encryption keys derived from a single hardware-backed master via HKDF-SHA256.
API keys hashed with SHA-256 at rest; plaintext returned exactly once at issuance.
Webhook signing: HMAC-SHA256 over {timestamp}.{event_id}.{body} — same scheme as inbound provider webhooks for verification symmetry.
4-eyes approval gate for go-live, limit changes, key rotation, partner activation.
Audit log records every privileged action with actor, before/after JSON, IP, request ID.
Annual penetration test by an independent third party.

Tiered merchant KYC: commercial register, owner ID, address proof, bank confirmation.
Beneficial-owner sanctions screening against OFAC, EU, UN consolidated lists.
Per-transaction velocity rules + amount thresholds + per-country heat maps.
Suspicious Activity Report (SAR) workflow with documented evidence chain.
Transaction monitoring data retained for 7 years per Djibouti AML guidelines.

Data residency: Cloud SQL in us-central1 today; eur-west1 migration planned as the data-protection law in Djibouti firms.
KYC documents stored in GCS with 7-year retention + versioning.
PCI DSS scope reduction via Cybersource tokenisation: card PAN never touches MerasPay servers.
Data Processing Agreement available for enterprise plans (sales@meras.io).

Email security@meras.io for a security review, SOC-2 / ISO 27001 attestations once available, or to discuss your specific compliance needs.