Hosting & Assurance Overview

Mercury Security | 2025

Introduction

Assurance is not only about controls inside an AI system but also about where and how the system is hosted. This document outlines Mercury Security’s approach to hosting assurance, explaining the safeguards applied to third-party providers, the data protection commitments in place, and what clients can expect in terms of transparency and accountability.

Third-Party Hosting Providers

Mercury Security uses carefully vetted third-party providers to host AI agent services and process audit uploads. Providers are selected based on their ability to meet international compliance standards, including:

  • ISO/IEC 27001 for information security management.
  • SOC 2 Type II reporting for security and availability.
  • Regional hosting options to comply with jurisdictional data laws.

All providers must demonstrate a strong history of operational resilience and independent security certification (ISO, 2023).

Data Processing Agreements (DPAs)

Every hosting provider Mercury Security engages with is bound by a Data Processing Agreement (DPA). These agreements define:

  • The roles and responsibilities of data processors.
  • The obligation to notify Mercury Security of incidents.
  • Requirements for encryption in transit and at rest.
  • Subprocessor transparency and limitations.

DPAs align with GDPR and EU AI Act obligations, ensuring lawful basis for data transfers and processing (European Union, 2016; European Union, 2024).

Encryption and Transmission

All customer data is transmitted via HTTPS/TLS. Files uploaded for audits are encrypted during transit and stored in encrypted form at rest. Redaction is strongly recommended prior to upload, and Mercury Security’s processes are designed to handle only the minimum necessary information.

Regional Hosting

Clients may request hosting in specific jurisdictions (for example, within the European Economic Area or the United States). Mercury Security works with providers that offer regional hosting options to meet local compliance requirements. Upon request and subject to NDA, provider and region details can be disclosed.

Access and Monitoring

Access to hosted systems is tightly controlled and monitored. Identity and access management follows least-privilege principles, and administrative access requires multi-factor authentication. Monitoring systems log access attempts and generate alerts for unusual activity.

Assurance Commitment

Mercury Security commits to:

  • Using only vetted hosting providers.
  • Maintaining current DPAs with all providers.
  • Offering transparency into hosting arrangements upon request.
  • Applying encryption, regional hosting options, and access monitoring.

Conclusion

Hosting assurance is not a technical afterthought but a governance necessity. By relying on vetted providers, binding them through DPAs, and enforcing strict encryption and access controls, Mercury Security ensures that hosting arrangements meet global standards and support compliance across AI deployments.

References

European Union. (2016). Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32016R0679

European Union. (2024). Regulation (EU) 2024/1689 of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. https://eur-lex.europa.eu

ISO. (2023). ISO/IEC 27001:2022 Information security management systems. International Organization for Standardization.

ISO. (2023). ISO/IEC 42001:2023 Information technology — Artificial intelligence — Management system. International Organization for Standardization.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram