Security at Mesh
Mesh is a comprehensive, trusted, secure, and SOC II compliant solution with a team that has decades of experience in auth and identity management.
We use a combination of operational, application, and infrastructure-level security controls to ensure the security of client and end-user data.
Operational readiness
Mesh is SOC 2 Type II certified, and as such undergoes regular penetration testing with third-party security firms.
In addition to rigorous threat modeling to identify potential code vulnerabilities, we also use automated code scanners and active monitoring to ensure all third party infrastructure is secure with the latest security patches.
Application principles
Mesh uses a combination of zero trust authorization and least privilege access to restrict users’ access to only the resources that are necessary for their role within our systems.
2FA is a key part of our strategy to improve defense by layers, and we believe is a must-have for any modern financial system. Mesh employs AES 256 to encrypt data at rest, and RSA 2048 to securely exchange the encryption keys between two parties, thus providing a secure way to both store and transmit data. Internally, Mesh employs consensus (with minimum of 2) rules as part of all change control processes to ensure any and all access to production systems has oversight, is audited, and is done using only the tools that have been vetted by our security team.
Infrastructure best practices
Mesh leverages Azure Cloud Services to ensure a highly available, scalable, and stable infrastructure. We also employ Web Application Firewalls (WAF) as well as CDN providers to protect against malicious activity.
Architecture
Authentication and token management
Mesh SDK defaults to OAuth-based authentication whenever available.
Access tokens can be stored on client-owned servers (recommended), end-user devices, or through a shared service with 24/7 monitoring where Mesh stands up a Key Management System (KMS) and will manage user credentials on a client’s behalf (not recommended).
We recommend that clients manage the KMS infrastructure, in which case the Mesh API will call the encrypted versions of tokens upon users' requests.
Token: client-managed
Token: Mesh-managed
End-user data
Mesh never stores end-user PII. PII may be temporarily handled when required to facilitate a transaction, but is then immediately discarded, never logged nor stored.
Mesh does store non-PII such as balances and portfolio holdings to improve the end-user experience, and all data is encrypted using customer keys at rest and in transit.