Security Practices | National Merchant Solutions

Your merchant statement contains sensitive financial detail about your business. Here is exactly how we protect it.

TLS 1.3 in transitAll uploads use modern TLS encryption between your browser and our servers — the same standard your bank uses.

AES-256 at restStatements are stored encrypted with AES-256, an industry-standard symmetric cipher.

Auto-deletion at 30 daysFiles are automatically deleted 30 days after your audit closes. Earlier deletion on request.

Two-person accessOnly David Geoola and Ohad Mizrahie can read your statement. No staff, contractors, or third parties.

1. Infrastructure

The site is hosted on Vercel, which provides automatic HTTPS via Let's Encrypt and runs on infrastructure that meets major industry compliance standards including SOC 2 Type 2. Email delivery is handled by Resend, with all sending domains authenticated via SPF, DKIM, and DMARC.

2. Data minimization

We collect only what we need to perform the audit and contact you with the result. We never request — and our forms cannot accept — credit card numbers, bank account numbers, Social Security numbers, tax IDs, or any payment credentials.

3. Access controls

Only the two principals have access to uploaded files
Access requires individual authenticated sessions on managed devices
Administrative access to the underlying systems is two-factor protected
No vendor, contractor, or third party receives copies of your statement

4. Retention & deletion

Statements are automatically deleted 30 days after your audit is delivered
You can request immediate deletion at any time by emailing david@nmerchantsolutions.com
Backups and logs follow the same 30-day retention

5. Network & transport security

TLS 1.3 (with TLS 1.2 fallback) on all endpoints
HSTS preload enabled with 2-year max-age
Strict CSP-style headers on application pages (X-Frame-Options, X-Content-Type-Options, Referrer-Policy)

6. Vulnerability reporting

If you discover a security issue with the site, please contact us before disclosing publicly. We treat security reports with priority and will respond within 48 hours.

Email: david@nmerchantsolutions.com with subject "Security report"
We do not currently offer a paid bug bounty, but we will publicly thank good-faith reporters with your permission

7. Incident response

In the unlikely event of a data breach affecting customer information, we will notify all affected customers by email within 72 hours of confirming the incident, in line with applicable U.S. state breach notification laws.

8. What we don't claim

We are not currently PCI-DSS certified as a service provider, because we do not handle cardholder data — our service handles processing statements, not card numbers. We are pursuing BBB A+ accreditation. We are not SOC 2 audited as an independent entity; we rely on Vercel's SOC 2 attestation for our underlying infrastructure.

9. Contact

David Geoola — david@nmerchantsolutions.com · (310) 853-3793
Ohad Mizrahie — ohad@nmerchantsolutions.com · (818) 730-6617

Note: This page is a transparent summary of our practices, not a formal compliance attestation. If your business is in a regulated industry (healthcare, financial services, etc.) and you need a vendor questionnaire or compliance documentation, contact us and we will work with you directly.