Trust & Security

How we handle your code, keys, and data.

Mozaca Labs builds financial software. The trust that makes that possible is itself an engineering discipline. Here's how we practice it.

Shield over a padlock — a visual mark of Mozaca's security discipline — Engineering discipline04 commitments

Pillars

Four commitments. Non-negotiable.

These aren’t marketing claims — they’re terms in every engagement letter we sign.

Senior-only on sensitive work

Smart contract audits and key-management work are staffed by senior engineers. No junior hand-offs, no offshore subcontracting. Named engineers, in writing, per engagement.

Code under our care

Repositories are pulled into per-client private mirrors during engagements and deleted on close. No client code is published, blogged, or used in marketing without explicit written consent.

Reproducible findings

Every audit report includes a reproducer for each finding — exploit script, test case, or step-by-step trace — so your team can independently verify and re-test after fixes.

Defence in depth on our own stack

MFA-enforced identity, hardware security keys for production access, password manager with shared vaults per engagement, encrypted at rest and in transit.

Practices

Operational standards.

The practical surface of how we run engagements — disclosure, response, and data handling.

Vulnerability disclosure: Found a security issue in our products or this site? Email security@mozacalabs.com with a clear description and reproduction steps. We acknowledge within 2 business days and triage with the reporter. Researchers acting in good faith are publicly thanked (with permission).
Incident response: Active or suspected compromise touching client infrastructure: contact a senior engineer in your existing engagement channel and copy security@mozacalabs.com. First response is within hours, not days. Post-incident write-ups are shared with the affected client first.
Data handling: We process the minimum necessary client data for an engagement. Personal data on this site (contact form submissions) is covered by our privacy policy.
Subprocessors: We rely on a small number of vetted providers for hosting, email, and analytics. A current list is available on request as part of any vendor due-diligence process.

Vendor due diligence

Need an SBOM, subprocessor list, or insurance certificate for vendor onboarding? Request via the engagement contact.

Request documents