Security at MiseSecurity at Mise

Mise runs on AWS ap-southeast-2 (Sydney) with multi-AZ redundancy. Application and database tiers are isolated in private subnets behind a VPC; only the load balancer is publicly addressable. Daily encrypted backups are held in ap-southeast-4 (Melbourne) with a 30-day retention window.

Card data never touches Mise servers. We tokenise via Stripe, Square, and Adyen — all PCI DSS Level 1 service providers. Mise itself is PCI DSS SAQ-A scoped, with annual attestation available on request under NDA.

All traffic is TLS 1.3 in transit. Databases are encrypted at rest with AES-256 and AWS KMS-managed keys, rotated annually. Backups are encrypted with separate keys.

Operators are role-based by default — cashier, manager, owner, franchise admin. Two-factor authentication is required for owner accounts and enforced for staff with refund or void privileges. Mise engineers use short-lived SSO credentials with audit logging for every production action.

We are aligned to ISO 27001 controls and undergo annual third-party penetration testing. SOC 2 Type II is on the roadmap for the next calendar year — happy to share the interim attestation letter under NDA.

Email security@mise.app with details. We acknowledge within 24 hours and operate a responsible-disclosure program with bounty rewards for valid reports — no legal action against good-faith researchers.