Mural's security team implements strict security processes based on industry standards and years of experience across major enterprise software companies. For any questions about Mural's security and compliance posture, please reach out to [email protected].

Encryption & Networking

Mural uses enterprise-grade encryption standards to safeguard user data. Data at rest is encrypted server-side via AES-256, and data in transit is encrypted via TLS 1.2+. Additionally, sensitive data such as account information is also encrypted on the client-side, adding an additional layer of security.

In our compute environment, we utilize Virtual Private Clouds (VPCs) to segregate and protect our internal network resources from external threats. We enhance this security by restricting network access exclusively to pre-approved IP addresses where applicable. Additionally, our infrastructure leverages Cloudflare's services, which provide robust defense against various network-based threats.

User Permissioning

The Mural platform gives customers the ability to designate specific Roles to each user within an Organization. Each of the available roles have different security access to create and approve transactions, configure Organization settings, create and edit Contacts, view and download Transaction data and Account statements, and more.

KYC / CDD

To help the government fight the funding of terrorism and money laundering activities, federal law may require us to obtain, verify, and record information that identifies each person who conducts a transaction with the company.

When you conduct a transaction with us, we may ask for your name, address, date of birth, and other information that will allow us to identify you, including your Social Security number. We may also ask to see your driver’s license or other identifying documents.

The Mural platform integrates with Persona for integrated identify verification for businesses and individuals. The checks and verifications include government identification checks, business registration verification, sanctions screening, adverse media reports, watchlist reporting, politically exposed persons reporting, and more.

For businesses, we require:

• General business details (name, website, address, business description, source of funds)

• Tax Identification Number / EIN

• Business Formation Document (Articles of Incorporation, Certificate of Formation, etc.)

• Business Formation Date

• Ultimate Beneficial Owners (UBOs) - individuals who own >20%, and their ID verification

• Shareholder Registry or other document proving UBO % ownership

For individuals, we require:

• Name

• Contact information (email, phone number)

• Primary Address

• Government Issued Photo Identification (National ID, Drivers license, Passport, etc.)

• Nationality

• Tax Identification Number / SSN

Approval Policies & Passkeys

Organization Owners on Mural can create Accounts for managing assets on the platform. Those Accounts require configuring Approvers and approval thresholds for any payments coming from those Accounts. This gives Organizations full control over their assets by enabling them to set up multi-user approval thresholds to protect funds and prohibit unilateral actions on high-value accounts. Note that Mural does not have access to user funds, nor does Mural have the ability to move funds on a user's behalf.

Transaction approvals leverage Digital Signatures, which by default are backed by Passkeys. Passkeys are cryptographic key-pairs created and stored directly on user devices. This comes with some significant security upgrades as compared to traditional password-based authentication:

• Access to and usage of passkeys are gated on OS-level biometrics: faceId, touchId, PINs, lock screen patterns, etc.

• The underlying credential is stored on your device is never disclosed to Mural (or any website), making them a lot harder to steal.

• Your passkey is bound to the web domain that creates it (i.e. app.muralpay.com). This is important to thwart phishing attacks.

• Passkeys are synced across devices natively on Apple and Google devices. Apple supports this via the iCloud keychain, and Google via the Google Password Manager.

Subprocessors

Mural uses subprocessors to help us operate, provide, integrate, and support our services. Mural conducts due diligence before engaging with any new subprocessor. Among other focuses, Mural validates that customer data is always protected.

The table below identifies Mural's subprocessors and details the purpose of their services. Subprocessor websites are available though links in the table.

If you are a Mural Customer and would like to be notified of any intended changes concerning the addition or replacement of subprocessors, please subscribe to receive notifications here. You may unsubscribe at any time using the unsubscribe link in the notification email.