Data handled by Mercari Group (including the personal information of customers) is protected in accordance with industry best practices.

The Mercari Security team is available for all employees to consult with about any security concerns or questions they may have, and works closely with stakeholders to define security requirements for our products.

Major releases undergo a design review by the Product Security team. The Mercari Group follows a shift-left security philosophy and the Security team is involved from the initial stages of the software development lifecycle, ensuring the quality and security of all releases early and throughout every stage of their development.

The Mercari Security team maintains internal secure coding guidelines based on industry best practices, to help ensure quality and security in our applications.

Major releases undergo pre-release testing by the Product Security team.
Testing follows a threat modeling based methodology, and aims to discover and eliminate potential vulnerabilities with a focus on well-known and common vulnerabilities.

The Product Security team maintains tooling for frequent static and dynamic analysis of applications to detect potential vulnerabilities. All vulnerabilities found through this scanning follow our vulnerability management workflow to ensure swift remediation.

Penetration testing of our application and corporate environment is carried out periodically by external parties to ensure an objective evaluation of our security measures and pick up anything we may have missed in-house.

All employees take our in-house security training at the time of joining the company, and security training is provided on a regular basis in order to improve employee’s awareness.
The Security team also provides various security e-learning courses through the company’s learning management system.

In addition to training aimed at all employees, the Security team provides a Security Champion Program aimed at developers.
This program enables developers from each domain team to build hands-on security experience, and take greater responsibility in ensuring the security of their domains.

The Security team monitors systems for various indicators of attack, such as unauthorized access attempts and malware infection. The team responds promptly to significant security events and conducts a thorough investigation of potential threats.
A Security Orchestration, Automation and Response (SOAR) tool (developed and maintained in-house) is used to centralize, monitor, and respond to alerts allowing us to adapt and respond to threats rapidly.

Protecting our users from malicious phishing attacks is a priority.
We work with external organizations and have countermeasures in place to ensure we can take-down phishing sites as quickly as possible.

The Mercari Group is a member of the Nippon CSIRT Association.
https://www.nca.gr.jp/member/mercari-sirt.html