// Trust & Security Report
Mercury Technologies, Inc.
Business banking platform for startups/SMBs (checking, savings, cards, payments, accounting sync) plus Mercury Treasury (yield/investing) and Mercury Command, an AI assistant (built on third-party LLMs, currently OpenAI GPT-5.5) that automates financial workflows like bill pay and reconciliation.
Certifications held
4
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on mercury.com“SOC 2 Type II compliance: Our security protocols and processes are first rate, and we undergo rigorous independent auditing to maintain them.”
Verify on trust.mercury.com“Compliance: SOC 2 Type II, SOC 2 Type I (listed as a compliance category with an associated report resource 'SOC 2 Type 2 Report 2025').”
Verify on trust.mercury.com“Compliance: PCI DSS - SAQ D, SP (Trust Center); marketing site adds: 'PCI standards: We understand how important your credit card information is and we uphold PCI compliance to ensure it stays safe.' Trust Center also lists a 'PCI-DSS AOC 2026' report resource.”
Verify on mercury.com“Mercury may collect Customer Information to facilitate promotions in compliance with GDPR, CCPA...; When we transfer Personal Information across borders, we implement safeguards required under applicable law (Standard Contractual Clauses for EEA/UK transfers).”
> Show 5 unconfirmed / not-held certifications
source: trust.mercury.comNo public evidence. Mercury's own Trust Center compliance list (SOC 2 Type I/II, PCI DSS) and security page do not mention ISO 27001. A Mercury job posting references familiarity with 'IT control frameworks (e.g., NIST, ISO 27001, COBIT)' as a desired skill, not a certification the company holds - this does not count as proof.
source: mercury.comNo public evidence and not applicable. Mercury is a business banking product (not a healthcare service or business associate), and neither trust.mercury.com nor mercury.com/security/legal pages mention HIPAA.
source: trust.mercury.comNo public evidence. Not referenced on the Trust Center, security page, or in Mercury Command launch materials.
source: trust.mercury.comNot applicable / no public evidence. Mercury is not marketed as a government-cloud or FedRAMP-authorized product.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
Primarily United States; the privacy policy states data may be processed 'in the United States or any other country in which we or our affiliates, business partners, or service providers operate,' with Standard Contractual Clauses cited as the safeguard for EEA/UK cross-border transfers.
Mercury Command (the AI assistant) is built on third-party foundation models via API (currently OpenAI GPT-5.5, described by Mercury as a swappable 'commodity' layer). Mercury states sensitive fields (card numbers, SSNs, credentials) are never passed to the underlying AI model and every AI action is bounded by the user's existing permissions. The privacy policy separately notes internal ML/analysis tools are used for tasks like document verification, business categorization, and fraud detection, but does not rely on them alone for decisions with legal/financial effect. No evidence Mercury trains its own or third-party foundation models on customer data, and no dedicated AI-training opt-out mechanism is publicly documented.
// Security controls
Encryption in transit and at rest
Strong, industry-standard protocols used to keep data safe and confidential, at rest and in transit.
mercury.comFraud monitoring
Automated fraud monitoring plus fraud/compliance teams; MFA verification and dark web monitoring referenced on the homepage.
mercury.comFDIC insurance (pass-through, via partner banks)
Up to $5M in FDIC insurance through partner banks' sweep networks; 97%+ of deposits FDIC-insured. Note: this is deposit insurance via partner banks (Choice Financial Group, Column N.A.), not an information-security certification.
mercury.comAccess controls
Trust Center lists infrastructure controls including unique production database authentication, encryption key access restriction, and unique account authentication.
trust.mercury.comPenetration testing
Trust Center lists a 'Penetration Test' report resource and 'Penetration testing performed' as an active control.
trust.mercury.comEmployee vetting
Employee background checks performed (listed under organizational security controls).
trust.mercury.com// Products & data scope
data: Business financial/account data, KYC identity data
Core product; banking services provided through partner banks Choice Financial Group and Column N.A. (both FDIC members), not Mercury itself.
data: Account and investment data
Yield product powered by asset managers (J.P. Morgan Asset Management, Morgan Stanley); advisory offered through Mercury Advisory.
data: Card transaction and spend data
Cashback, limits, approvals, reimbursements.
data: Payment and vendor/counterparty data
No-fee USD wires, invoicing.
data: Reads bills/transactions and account data to automate workflows; sensitive fields excluded from AI model calls per vendor statement
Runs on third-party frontier LLMs (currently OpenAI GPT-5.5); scoped to existing user permissions.
// What to watch
- ISO 27001, HIPAA, ISO/IEC 42001, CSA STAR, and FedRAMP are not claimed anywhere on Mercury's own domain; graded held=false on absence of evidence, not assumed presence.
- No public Data Processing Agreement (DPA) link was found; typical for a fintech of this size to provide one on request under a business agreement, but this could not be verified publicly.
- Several unrelated companies share the 'Mercury' name (e.g., Mercury Systems - a defense contractor, Mercury Financial, runmercury.com, shipmercury.com). Identity was confirmed against the evidence file's domain (mercury.com) and its own Trust Center subdomain (trust.mercury.com) to avoid conflating certifications from a different Mercury entity.
- FDIC insurance and 'banking' marketing language refer to pass-through insurance via partner banks (Choice Financial Group, Column N.A.) since Mercury itself is a fintech, not a chartered bank - this is a regulatory/insurance distinction, not an information-security certification, and should not be listed alongside SOC 2/PCI as a security cert.
// At a glance
Pricing model
Free core business banking (checking/savings, no monthly minimums), with revenue from yield products, credit card interchange/cashback structures, and premium account tiers; no per-seat SaaS-style pricing disclosed for Command.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mercury Technologies, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.mercury.com