Mercans Official website logo
Privacy @ Mercans

Operate with Confidence: Scalability, Transparency, and Data Privacy

Mercans ensures compliance with expert monitoring of labor laws across 100+ countries, an advanced rules engine for accurate pay and tax calculations, and robust data privacy protections.

Operate with Confidence: Scalability, Transparency, and Data Privacy
Mercans' Privacy Commitment

Mercans' Privacy Commitment

Mercans is committed to safeguarding the personal data of our employees, contractors, clients, their employees, business contacts, and other stakeholders. Our privacy principles, which are at the heart of our global privacy framework, are outlined in our Global Privacy Policy and supported by our data protection practices, including Binding Corporate Rules (BCRs).

We have obtained ISO 27017 certification, an international standard for protecting personal identifiable information (PII) on cloud services. This certification provides third-party validation of our privacy controls and reflects our ongoing commitment to privacy.

Mercans’ Global Chief Privacy Officer leads our Global Privacy Program, supported by a dedicated privacy team. For any questions related to our privacy practices, please contact us at [email protected].

We are committed to maintaining ethical standards in all our business operations. Our principles and processes guide the use of emerging technologies, including real-time monitoring of automated decisions. Privacy is central to our ethical approach and is integrated into everything we do.

our global privacy policy

Data Privacy is Our Priority

Mercans is the only payroll company globally with ISO and SOC 1 & 2 certifications covering all locations and processes.

Our platform adheres to the highest international standards and regulations.

GDPR

GDPR

Avoid fines of EUR 250k (each occurrence) for mishandling EU nationals’ data.

SOC 1

SOC 1

External auditors confirmed that financial data provide by Mercans is reliable.

SOC 2

SOC 2

External auditors have confirmed that your data is protected by Mercans.

ISO 20000

ISO 20000

Mercans’ services meet the international service management standards.

ISO 27001

ISO 27001

Mercans systems are secure.

OWASP ASVS 3.0

OWASP ASVS 3.0

Protection from cybersecurity risks.

ISO 27017

ISO 27017

Mercans systems are protecting personal identifiable information (PII) on cloud services.

ISO 27018

ISO 27018

Mercans services are protecting PII in cloud storage.

ISO 9001:2015

ISO 9001:2015

Mercans follows Quality Management Systems for process management and continuous improvement.

GDPR

GDPR

Avoid fines of EUR 250k (each occurrence) for mishandling EU nationals’ data.

SOC 1

SOC 1

External auditors confirmed that financial data provide by Mercans is reliable.

SOC 2

SOC 2

External auditors have confirmed that your data is protected by Mercans.

ISO 20000

ISO 20000

Mercans’ services meet the international service management standards.

ISO 27001

ISO 27001

Mercans systems are secure.

OWASP ASVS 3.0

OWASP ASVS 3.0

Protection from cybersecurity risks.

ISO 27017

ISO 27017

Mercans systems are protecting personal identifiable information (PII) on cloud services.

ISO 27018

ISO 27018

Mercans services are protecting PII in cloud storage.

ISO 9001:2015

ISO 9001:2015

Mercans follows Quality Management Systems for process management and continuous improvement.

Your Choices and Consent

Mercans respects your decisions when it comes to collecting and processing your personal data. We use your data strictly for the business purpose it was collected for. In rare cases, as outlined in our Binding Corporate Rules, we may process your data for a related secondary purpose. If you are a client employee or worker, we process your data according to the instructions we receive from our clients.

Minimizing Data and Controlling Access

We only collect and use the minimum personal data necessary to meet the business purpose for which it was collected. Access to your data is granted based on specific roles and job functions.

Tracking and Assessing Data Use

We map data flows and conduct regular privacy risk assessments of our data processing activities. We also monitor and assess our technology tools against industry standards to comply with privacy regulations and maintain an inventory of our processing activities.

See our security program

Mercans Binding Corporate Rules

Mercans has received approval from data protection regulators in the European Economic Area (EEA), specifically Estonia, for its Binding Corporate Rules for Processors (BCR-P).
This approval allows Mercans to transfer personal data between Mercans group companies in compliance with EEA data protection laws.
Mercans' BCRs consist of binding agreements, business processes, policies, training, and guidelines that form our corporate privacy compliance framework.

Binding Corporate Rules for Processors (BCR-P)

Mercans processes personal data as part of the services we provide to our customers. In this context, our customers act as the controllers or processors of the data, and Mercans acts as the processor, handling the data on behalf of the customer according to their instructions.

For certain services, Mercans’ BCR-P can be utilized by our customers to ensure that any transfer and processing of personal data within the Mercans group complies with EEA data protection laws, including those in Estonia.

Mercans Participating Companies

For more information about our BCRs, including the full text of the rules, details of the legal commitments of Mercans entities under the BCRs, or to exercise any of your rights, please contact the Mercans Privacy Office. In addition, to read the Mercans approved BCRs, click the button below.

Read Our BCR

Mercans Completely Eliminates the risk of Payroll data Privacy Challenges
for Your Global Ops

image s6

Our innovative, stateless application architecture allows for fully anonymous payroll processing, ensuring that sensitive Personal Identifiable Information (PII) is never transferred from clients to our global payroll application. This approach allows for gross-to-net payroll processing without compromising employee privacy.

Beyond just processing, our payroll engine is designed to deliver accurate calculations across 100+ countries through a single, native platform in real-time. The key advantage is that this process is conducted without accessing or storing any identifiable employee information, eliminating the risk of data breaches and meeting stringent data privacy and global compliance requirements, including GDPR.

For businesses concerned about data breaches and ransomware attacks when using external providers for global payroll processing, our solution offers a robust defense. By ensuring that PII remains securely within your data centers and that payroll data is anonymized throughout the process, we address privacy concerns and reinforce data security.

image s6
image s6

Unmatched Data Privacy and Security

image s6

Our application is designed with data privacy as a top priority, offering a level of protection unmatched by any other global payroll engine. The engine operates without accessing sensitive personal employee information, ensuring that all data remains fully anonymized and stateless. This unique approach allows clients to submit multiple queries and requests during calculations simultaneously, simplifying processes and speeding up results.

Additionally, the engine’s design provides an extra layer of security—it is built to be highly resilient against cyber threats, offering complete confidentiality and peace of mind for legal teams and senior management concerned about data security.

The system is also fully compliant with global regulations and integrates seamlessly with statutory authorities worldwide. It offers high scalability, making it suitable for organizations of all sizes, including those with over 100,000 employees. Designed for efficient and independent payroll management, it expertly navigates local privacy regulations to ensure global compliance.

Privacy: A Strategic Business Imperative

image s6

We view privacy not just as a regulatory compliance issue but as a strategic business concern. While policies, standards, and guidance documents are crucial, privacy risk and compliance must be actionable and fully integrated into all business functions and processes.

To address this, we have developed a comprehensive program framework designed to provide coverage for regulatory, reputational, and operational risks. This framework is tailored to clients of all sizes and complexities, serving as a foundation for discussions on risk tolerance, program scope, specific activities, and high-risk areas that require additional attention and stakeholder involvement.

image s6

Our Data Privacy Strategy

Our Data Privacy Strategy

Effective Data Privacy Management

Mercans believe that effective data privacy management goes beyond policies and standards. It requires an action-oriented approach integrated into every aspect of business operations.

Programmatic Approach

We establish a practical governance structure, target operating model, and performance indicators to ensure proper privacy risk ownership and scalability.

Risk-Based Strategy

Our risk controls are designed with a deep understanding of our clients’ strategic business priorities, balancing regulatory and operational risks.

Integrated Solutions

We tailor privacy controls to fit the specific nuances of our clients’ business models, processes, systems, and products.

Our Data Privacy practice is dedicated to delivering actionable results that enhance personal data handling practices enterprise-wide. We focus on active risk remediation through process improvements, system modifications, functional changes, or new technology.

Our Data Privacy Strategy

Managing Information Retention and Disposal

Mercans has put in place a Global Records Information Management (RIM) Policy to ensure the proper handling of information. This policy outlines the procedures for retaining, maintaining, and safely deleting or destroying personal data, client information, and company records.

Learn about Records Information Management

Cross-Border Data Transfers

Mercans ensures compliance with relevant laws when transferring personal data across international borders. We also adhere to our Binding Corporate Rules for Client Data Processing Services (the Processor Code) as the main legal framework for transferring personal data of our clients’ employees from Europe to Mercans entities outside the European Economic Area (EEA).

Mercans Approach to International Data Transfers