No Code Access
Mortar never requires access to your source code. We analyze compiled OpenAPI/Protobuf artifacts and telemetry metadata, ensuring your IP stays in your VCS.
Security & Trust
Security by Design. Deterministic by Nature.
Mortar is engineered for the most security-conscious organizations. We treat your API contracts and release metadata with the same rigor you apply to your own production systems.
End-to-End Encryption
All data in transit is protected via TLS 1.3, and data at rest is encrypted using AES-256 with customer-isolated encryption keys.
Private Deployment
For Enterprise and Sovereign customers, Mortar can be deployed fully self-contained within your VPC, ensuring zero data egress.
Governance & Compliance
Our practices are built to align with global standards.
SOC 2 Type II Compliance
We maintain a rigorous SOC 2 Type II audit schedule, covering the Security, Availability, and Confidentiality trust service criteria. Report available under NDA.
Append-Only Audit Trails
Every decision made by the Mortar authority layer is logged to an immutable audit trail, providing a verifiable record of who authorized what change and when.
Least-Privilege API Model
Our integration agents utilize scoped, short-lived tokens and require only write access to audit logs and read access to target specifications.
Responsible Disclosure
If you believe you have found a security vulnerability in Mortar, please contact us at security@mortar.systems. We respond to all reports within 24 hours.