Skip to content
Compliance & security

Regulated-grade infrastructure you can operate on

Operators carry the regulatory burden — MEXAR is engineered to lift it. The platform aligns to Bank Indonesia requirements and has passed independent security review.

Assurance

How the platform protects your operation

Bank Indonesia requirements

Architected to central-bank standards; currently under active licensing review.

Independent penetration test

Tested end to end by an external security team, with no critical findings left open.

Immutable, append-only ledger

Account flows are append-only — every movement records before/after balances, and transaction items are versioned, superseded rather than silently edited.

KYC & AML screening

Identity verification routed by document type, with blacklist (name, address, keyword), limit and compliance-rule reviewers running on every transaction.

Encryption & least-privilege access

Encrypted in transit and at rest, segregated services, and a complete audit trail attributing every change to a user.

Idempotent, replay-safe processing

Payment confirmation and provider webhooks are idempotent, so retries and network replays never double-post a transaction.

Role-based access control

Fine-grained, least-privilege permissions per module and action, separated by department. Roles are version-controlled and every sensitive action is auditable.

Compliance

Your questions, answered

Is MEXAR licensed?

The platform is built to Bank Indonesia requirements and is under active licensing review. Operators run under their own license scope.

Who tested your security?

An independent third-party security firm conducted a full penetration test of the platform.

How is data protected?

Encrypted in transit and at rest, least-privilege access, and full audit logging for every action.

Can transactions be edited after the fact?

No. Transaction items and account flows are append-only — a change creates a new version and marks the previous one superseded, with full user attribution, so records stay audit-ready.

How do you control who can do what?

Role-based access control with fine-grained, least-privilege permissions for each module and action, separated by department. Role definitions are version-controlled, so segregation of duties is reviewable and auditable.