// Trust & Security Report

    Mercury Technologies, Inc. logo

    Mercury Technologies, Inc.

    Business banking platform for startups/SMBs (checking, savings, cards, payments, accounting sync) plus Mercury Treasury (yield/investing) and Mercury Command, an AI assistant (built on third-party LLMs, currently OpenAI GPT-5.5) that automates financial workflows like bill pay and reconciliation.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II compliance: Our security protocols and processes are first rate, and we undergo rigorous independent auditing to maintain them.

    Verify on mercury.com
    SOC 2 Type I
    HELD

    Compliance: SOC 2 Type II, SOC 2 Type I (listed as a compliance category with an associated report resource 'SOC 2 Type 2 Report 2025').

    Verify on trust.mercury.com
    PCI DSS
    HELD

    Compliance: PCI DSS - SAQ D, SP (Trust Center); marketing site adds: 'PCI standards: We understand how important your credit card information is and we uphold PCI compliance to ensure it stays safe.' Trust Center also lists a 'PCI-DSS AOC 2026' report resource.

    Verify on trust.mercury.com
    GDPR (compliance posture)
    HELD

    Mercury may collect Customer Information to facilitate promotions in compliance with GDPR, CCPA...; When we transfer Personal Information across borders, we implement safeguards required under applicable law (Standard Contractual Clauses for EEA/UK transfers).

    Verify on mercury.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Mercury's own Trust Center compliance list (SOC 2 Type I/II, PCI DSS) and security page do not mention ISO 27001. A Mercury job posting references familiarity with 'IT control frameworks (e.g., NIST, ISO 27001, COBIT)' as a desired skill, not a certification the company holds - this does not count as proof.

    source: trust.mercury.com
    HIPAA
    NOT CONFIRMED

    No public evidence and not applicable. Mercury is a business banking product (not a healthcare service or business associate), and neither trust.mercury.com nor mercury.com/security/legal pages mention HIPAA.

    source: mercury.com
    ISO/IEC 42001 (AI management)
    NOT CONFIRMED

    No public evidence. Not referenced on the Trust Center, security page, or in Mercury Command launch materials.

    source: trust.mercury.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on vendor domain.

    source: trust.mercury.com
    FedRAMP
    NOT CONFIRMED

    Not applicable / no public evidence. Mercury is not marketed as a government-cloud or FedRAMP-authorized product.

    source: trust.mercury.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    Primarily United States; the privacy policy states data may be processed 'in the United States or any other country in which we or our affiliates, business partners, or service providers operate,' with Standard Contractual Clauses cited as the safeguard for EEA/UK cross-border transfers.

    Mercury Command (the AI assistant) is built on third-party foundation models via API (currently OpenAI GPT-5.5, described by Mercury as a swappable 'commodity' layer). Mercury states sensitive fields (card numbers, SSNs, credentials) are never passed to the underlying AI model and every AI action is bounded by the user's existing permissions. The privacy policy separately notes internal ML/analysis tools are used for tasks like document verification, business categorization, and fraud detection, but does not rely on them alone for decisions with legal/financial effect. No evidence Mercury trains its own or third-party foundation models on customer data, and no dedicated AI-training opt-out mechanism is publicly documented.

    // Security controls

    Encryption in transit and at rest

    Strong, industry-standard protocols used to keep data safe and confidential, at rest and in transit.

    mercury.com

    Fraud monitoring

    Automated fraud monitoring plus fraud/compliance teams; MFA verification and dark web monitoring referenced on the homepage.

    mercury.com

    FDIC insurance (pass-through, via partner banks)

    Up to $5M in FDIC insurance through partner banks' sweep networks; 97%+ of deposits FDIC-insured. Note: this is deposit insurance via partner banks (Choice Financial Group, Column N.A.), not an information-security certification.

    mercury.com

    Access controls

    Trust Center lists infrastructure controls including unique production database authentication, encryption key access restriction, and unique account authentication.

    trust.mercury.com

    Penetration testing

    Trust Center lists a 'Penetration Test' report resource and 'Penetration testing performed' as an active control.

    trust.mercury.com

    Employee vetting

    Employee background checks performed (listed under organizational security controls).

    trust.mercury.com

    // Products & data scope

    Mercury business bankingBusiness checking & savings

    data: Business financial/account data, KYC identity data

    Core product; banking services provided through partner banks Choice Financial Group and Column N.A. (both FDIC members), not Mercury itself.

    Mercury TreasuryCash management / investing

    data: Account and investment data

    Yield product powered by asset managers (J.P. Morgan Asset Management, Morgan Stanley); advisory offered through Mercury Advisory.

    Cards & expense managementCorporate cards / spend management

    data: Card transaction and spend data

    Cashback, limits, approvals, reimbursements.

    Payments & invoicingB2B payments

    data: Payment and vendor/counterparty data

    No-fee USD wires, invoicing.

    Mercury CommandAI financial assistant

    data: Reads bills/transactions and account data to automate workflows; sensitive fields excluded from AI model calls per vendor statement

    Runs on third-party frontier LLMs (currently OpenAI GPT-5.5); scoped to existing user permissions.

    // What to watch

    • ISO 27001, HIPAA, ISO/IEC 42001, CSA STAR, and FedRAMP are not claimed anywhere on Mercury's own domain; graded held=false on absence of evidence, not assumed presence.
    • No public Data Processing Agreement (DPA) link was found; typical for a fintech of this size to provide one on request under a business agreement, but this could not be verified publicly.
    • Several unrelated companies share the 'Mercury' name (e.g., Mercury Systems - a defense contractor, Mercury Financial, runmercury.com, shipmercury.com). Identity was confirmed against the evidence file's domain (mercury.com) and its own Trust Center subdomain (trust.mercury.com) to avoid conflating certifications from a different Mercury entity.
    • FDIC insurance and 'banking' marketing language refer to pass-through insurance via partner banks (Choice Financial Group, Column N.A.) since Mercury itself is a fintech, not a chartered bank - this is a regulatory/insurance distinction, not an information-security certification, and should not be listed alongside SOC 2/PCI as a security cert.

    // At a glance

    Pricing model

    Free core business banking (checking/savings, no monthly minimums), with revenue from yield products, credit card interchange/cashback structures, and premium account tiers; no per-seat SaaS-style pricing disclosed for Command.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Mercury Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.mercury.com

    > Browse all vendor trust reports