← Back to Developer Programme

Third-Party App Compliance Requirements

All apps submitted to the Mercentia Marketplace must meet the following compliance, security, and quality standards. These requirements are aligned with 2026 global regulations and industry best practices.

Last updated: April 2026 · Version 3.2

1. Security Requirements

1.1 Authentication & Authorization

  • Must use OAuth 2.0 with PKCE for all authentication flows
  • API keys must never be exposed in client-side code
  • Support token refresh without user re-authentication
  • Implement least-privilege access — only request permissions your app actually needs
  • Session tokens must expire within 24 hours maximum
  • Must support token revocation on uninstall

1.2 Data Encryption

  • TLS 1.3 required for all data in transit (TLS 1.2 minimum accepted)
  • AES-256 encryption required for all data at rest
  • Cryptographic key rotation every 90 days
  • No storage of raw credit card numbers (use tokenisation only)
  • Secrets must be stored in environment variables or dedicated secrets managers, never in source code

1.3 Vulnerability Management

  • Annual penetration testing by a qualified third party (report must be within last 12 months)
  • OWASP Top 10 compliance mandatory
  • Critical vulnerabilities must be patched within 24 hours of discovery
  • High-severity vulnerabilities within 7 days
  • Maintain a Vulnerability Disclosure Programme (VDP)
  • Dependency scanning (SCA) with automated alerts for known CVEs
  • No use of deprecated or end-of-life libraries with known security issues

1.4 Infrastructure Security

  • Must deploy on SOC 2 Type II certified infrastructure (AWS, GCP, Azure, or equivalent)
  • Network segmentation between environments (production, staging, development)
  • Web Application Firewall (WAF) required for public endpoints
  • DDoS protection measures in place
  • Logging and monitoring of all access events (retain for 12 months minimum)
  • Incident response plan documented and tested annually

2. Privacy & Data Protection

2.1 GDPR (EU General Data Protection Regulation)

  • Lawful basis for processing identified for each data type
  • Privacy notice clearly displayed before data collection
  • Consent management with granular opt-in/opt-out controls
  • Right to access (Article 15) — respond within 30 days
  • Right to erasure (Article 17) — complete deletion within 30 days
  • Right to data portability (Article 20) — machine-readable export
  • Data Protection Impact Assessment (DPIA) for high-risk processing
  • Data Processing Agreement (DPA) signed with Mercentia
  • Appoint a Data Protection Officer (DPO) if processing at scale
  • 72-hour breach notification to supervisory authority

2.2 CCPA/CPRA (California Consumer Privacy Rights Act)

  • "Do Not Sell or Share My Personal Information" link required
  • Honour Global Privacy Control (GPC) browser signals
  • Right to know — disclose what data is collected and why
  • Right to delete — process within 45 days
  • Right to opt-out of sale/sharing of personal information
  • Right to correct inaccurate personal information
  • Right to limit use of sensitive personal information
  • Annual privacy audit for high-volume processors

2.3 Data Minimisation & Retention

  • Only collect data strictly necessary for app functionality
  • Define and document data retention periods for each data type
  • Automatic deletion of data when retention period expires
  • No secondary use of merchant or customer data without explicit consent
  • No selling, sharing, or monetising merchant data to third parties
  • Aggregate or anonymise data for analytics purposes

2.4 Data Residency & Transfer

  • Disclose all data processing locations (countries)
  • EU data must stay within EU/EEA unless valid transfer mechanism exists
  • Standard Contractual Clauses (SCCs) for international transfers
  • Binding Corporate Rules (BCRs) if applicable
  • Offer data residency options for merchants in regulated regions
  • Transfer Impact Assessment (TIA) for non-adequate countries

2.5 Additional Privacy Regulations

  • PIPEDA (Canada) — meaningful consent, limited collection
  • LGPD (Brazil) — legitimate interest, consent, data mapping
  • APPI (Japan) — purpose specification, accurate records
  • POPIA (South Africa) — accountability, purpose limitation
  • PDPA (Singapore/Thailand) — consent, access, correction rights
  • UK GDPR — ICO registration, UK representative if needed

3. Compliance Certifications

3.1 Required (Minimum One)

SOC 2SOC 2 Type II

Annual audit report from accredited firm covering security, availability, confidentiality.

ISO 27001ISO 27001:2022

Information Security Management System certification from accredited body.

PCI DSSPCI DSS 4.0

Required if handling payment card data. Self-Assessment Questionnaire (SAQ) minimum.

3.2 Recommended

HIPAAHIPAA

Required if app handles health-related data. BAA must be signed.

WCAGWCAG 2.2 AA

Web Content Accessibility Guidelines — required for all UI-facing apps.

AI ActEU AI Act

Required for apps using AI/ML. Risk classification, transparency, and human oversight.

4. EU Digital Services Act (DSA)

  • Transparent terms of service — clearly explain what the app does and doesn't do
  • Content moderation policies if user-generated content is involved
  • Illegal content reporting mechanism
  • Transparency in algorithmic recommendations
  • Annual transparency report for large-scale services
  • Clear advertising disclosures and labelling
  • Designated point of contact for EU authorities

5. EU AI Act Compliance (for AI-powered apps)

  • Risk classification of AI system (minimal, limited, high-risk, unacceptable)
  • Transparency requirements — users must be informed when interacting with AI
  • Human oversight mechanisms for automated decisions affecting merchants/customers
  • Technical documentation of training data, model architecture, and limitations
  • Bias testing and fairness assessments documented
  • Accuracy, robustness, and cybersecurity measures for high-risk systems
  • Logging of AI system decisions for auditability
  • Clear opt-out mechanism for AI-driven personalisation
  • No prohibited AI practices (social scoring, real-time biometric identification without authorisation)
  • Conformity assessment for high-risk applications

6. Performance & Reliability Standards

  • P95 API response time < 500ms
  • P99 API response time < 2000ms
  • 99.9% monthly uptime SLA (max 43 minutes downtime/month)
  • Graceful degradation — app failures must not crash the merchant's store
  • No blocking of storefront rendering (async loading required)
  • Total page weight contribution < 200KB (compressed)
  • Rate limit compliance — respect API limits without aggressive retry
  • Proper error handling with user-friendly messages
  • Status page or health check endpoint required
  • Planned maintenance windows communicated 72 hours in advance
  • Rollback capability for all deployments

7. Accessibility (WCAG 2.2 Level AA)

  • All interactive elements keyboard-navigable
  • ARIA labels on custom components
  • Colour contrast ratio minimum 4.5:1 for normal text, 3:1 for large text
  • Focus indicators visible on all interactive elements
  • Screen reader compatibility (tested with NVDA, VoiceOver, JAWS)
  • No content conveyed by colour alone
  • Text resize up to 200% without loss of functionality
  • Touch targets minimum 44x44px
  • Motion/animation respects prefers-reduced-motion
  • Form errors identified with text (not just colour/icon)
  • Responsive design from 320px to 4K displays
  • Language attribute set correctly
  • Provide accessibility statement

8. User Experience & Quality Standards

  • Clean, uncluttered UI consistent with Mercentia design patterns
  • No misleading pricing or hidden fees
  • Clear onboarding flow — users should understand how to use the app within 60 seconds
  • Meaningful error messages with actionable guidance
  • Uninstall must be clean — remove all store modifications, webhooks, and scripts
  • No dark patterns (e.g., making cancellation difficult, pre-checked upsells)
  • Loading states and feedback for async operations
  • Confirmation dialogs for destructive actions
  • Multi-language support (English minimum, additional languages encouraged)
  • Help documentation or in-app guidance available
  • Responsive email notifications (not excessive)

9. Business & Legal Requirements

  • Valid legal entity with verifiable business registration
  • Published Terms of Service for end users
  • Published Privacy Policy (accessible and understandable)
  • Data Processing Agreement (DPA) signed with Mercentia
  • Professional liability insurance recommended ($1M+ for Certified tier)
  • Responsive support — first reply within 24 hours (business days)
  • Clear refund/cancellation policy
  • No misleading marketing claims
  • Accurate app store listing — screenshots and descriptions must reflect current functionality
  • Maintain active development — apps inactive for 6+ months may be delisted
  • Cooperate with Mercentia security team on incident investigation

10. Review & Approval Process

10.1 Initial Review Checklist

  1. Metadata Review — App listing accuracy, descriptions, screenshots, pricing
  2. Security Scan — Automated SAST/DAST scanning of app endpoints
  3. Permission Audit — Verify all requested permissions are justified
  4. Privacy Review — Data handling practices, privacy policy, DPA
  5. Performance Testing — Load testing, response times, resource usage
  6. Accessibility Audit — Automated and manual WCAG 2.2 testing
  7. UX Review — Install flow, core functionality, uninstall flow
  8. Compliance Verification — Certificates, audit reports, documentation
  9. Manual Penetration Testing — For apps handling sensitive data

10.2 Review Timelines

  • Community Developers: 14 business days
  • Certified Partners: 7 business days
  • Certified Elite: 3 business days
  • Re-submissions (after fixes): 5 business days

10.3 Rejection Reasons

  • Security vulnerabilities identified in scan
  • Missing or inadequate privacy policy
  • Excessive permissions not justified by app functionality
  • Performance below minimum thresholds
  • Accessibility failures (critical WCAG violations)
  • Misleading descriptions or screenshots
  • Dark patterns or deceptive UX
  • Incomplete uninstall (leaves residual data/scripts)
  • Missing compliance documentation
  • Duplicate functionality of existing built-in feature with no differentiation

10.4 Ongoing Compliance

  • Quarterly automated security re-scans
  • Annual compliance documentation renewal
  • Penetration test reports updated annually
  • Maintain minimum 3.0 rating (apps below 2.5 for 90+ days may be suspended)
  • Respond to merchant support tickets within SLA
  • Mercentia reserves right to emergency-delist apps for critical security issues

11. Prohibited Practices

  • Cryptocurrency mining or resource abuse
  • Exfiltrating merchant or customer data for undisclosed purposes
  • Injecting advertisements into merchant storefronts without consent
  • Tracking customers across stores without explicit consent
  • Manipulating search rankings or reviews
  • Bundling unrelated functionality to justify extra permissions
  • Embedding third-party tracking pixels without disclosure
  • Using AI to generate fake reviews or misleading content
  • Reverse-engineering Mercentia platform code
  • Storing payment credentials outside PCI-compliant systems

Ready to Submit?

If your app meets these requirements, you're ready to submit for review.

Submit Your AppDeveloper Programme