Skip to content

How we handle your code, keys, and data.

Mozaca Labs builds financial software. The trust that makes that possible is itself an engineering discipline. Here's how we practice it.

Trust posture without over-claiming certification.

This page is a review surface for security direction, disclosure paths, data handling, and regulated-flow assumptions. Formal assurance reports, approved subprocessor lists, insurance evidence, and signed control documents should be inserted after senior and legal review.

Padlock — visual mark of Mozaca's security discipline
Engineering discipline04 commitments

Four commitments. Non-negotiable.

Trust work is attached to the operating model: public posture, controlled access, formal assurance boundaries, and private evidence when qualified diligence is ready.

Security posture before sales claims

Mozaca separates public posture from private diligence so buyers can evaluate the security direction without mistaking pre-launch material for formal certification.

Least-privilege access

Internal and client work is scoped to named owners, MFA-backed identities, private repositories, role-based access, and written handoff or removal at close.

Evidence over screenshots

Financial workflows should produce audit-ready evidence: ledger events, approval state, webhook delivery, reconciliation records, incident notes, and exportable reports.

Regulated flows stay gated

Fedha and Zent digital-asset flows operate through licensing, partner controls, transaction monitoring, and jurisdiction review so control posture is explicit.

Public controls and private evidence.

This trust center works as a pre-launch assurance map: controls, responsible disclosure, environment status, regulatory posture, and future private diligence materials are separated cleanly.

Security posture

Public guide

Public disclosure, data-handling, incident, access-control, and vulnerability-reporting expectations are documented here for pre-launch review.

SOC 2 Type II

Not yet issued

Control mapping can be prepared for diligence. Formal report access should be offered only after a current report exists under NDA.

ISO 27001

Roadmap

Security management practices are being structured around access, data handling, incident response, change control, and vendor review.

PCI DSS

Provider-bounded

Card workflows are scoped through approved providers and PCI boundaries; the public website does not process cardholder data.

Status page

Public guide

The public status page covers website, contact, documentation, product posture, and the controlled-access environment model.

security.txt

Published

Responsible disclosure contact details are available at /.well-known/security.txt.

Global ambition means license-aware.

The public site is clear about regulated operating posture without over-claiming approval. Exact entity, license, partner, and corridor details are confirmed in signed scoping or diligence.

Jurisdiction review

Mozaca treats regulated money movement and approved digital-asset workflows as jurisdiction-specific. Fedha and Zent deployments are reviewed against the client's market, licensed partners, provider controls, transaction monitoring, Travel Rule posture where applicable, and local regulatory path.

Fedha

Fedha's operating model is designed as fiat/mobile-money first, with any approved digital-asset movement gated by licensed-path review, sanctions screening, wallet-risk controls, and approved counterparties.

Hazina

Hazina's treasury path is partner-bank and payment-rail led, with KYB, sanctions screening, maker-checker approvals, reconciliation, and audit evidence configured per client scope.

Zent

Zent's institutional digital-asset workflows are designed around approved custody, transaction monitoring, Travel Rule where applicable, and liquidity-provider paths, with Mozaca providing policy, settlement, and reporting layers.

Regulatory references are reviewed per client market and partner path during diligence. This page is not legal advice.

Operational standards.

The practical surface of how we run engagements — disclosure, response, and data handling.

Vulnerability disclosure
Found a security issue in our products or this site? Email security@mozacalabs.com with a clear description and reproduction steps. The responsible disclosure file is also published at /.well-known/security.txt. We acknowledge within 2 business days and triage with the reporter.
Incident response
Active or suspected compromise touching client infrastructure: contact your named Mozaca owner in the existing engagement channel and copy security@mozacalabs.com. First response is within hours, not days. Post-incident write-ups are shared with the affected client first.
Data handling
We process the minimum necessary data for an engagement or demo request. Personal data on this site is covered by our privacy policy.
Subprocessors
Mozaca relies on a small number of providers for hosting, email relay, analytics, repository management, and operational communication. The approved subprocessor list should be finalized during vendor diligence before production access.
Private diligence materials
Qualified buyers can request draft architecture notes, operating-control checklists, subprocessor details, insurance evidence where available, and security questionnaires. Formal assurance reports should be supplied under NDA only when available for the relevant environment.

Need an SBOM, subprocessor list, or insurance certificate for vendor onboarding? Request via the engagement contact.

Request documents