Security updates

Last updated: 08-12-2025
Applies to: Mestic products equipped with a Tuya IoT chipset and managed through the Mestic App.

1. Purpose of this Policy

This Security Update Policy describes how Mestic provides security updates for its smart products (“connectable products”) sold in the United Kingdom.
It is written to comply with the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (“PSTI Regulations”).

This policy tells customers:

• how long security updates will be provided,
• how updates are delivered,
• how we communicate vulnerabilities and fixes, and
• how to report potential security issues.

2. Defined Support Period

For all Mestic Smart products covered under this policy:

• Mestic guarantees a minimum security update support period of 5 years.
• This period begins on the date the model is first made available on the market.
• The end date of the support period for each model will be published on the Mestic website and updated if extended.

If Mestic extends the support period for a product, the new end date will be published free of charge, in English, and without requiring a prior request, as required under PSTI regulations.

3. What Security Updates Cover

Security updates may include:

• fixes for vulnerabilities affecting the product firmware,
• security improvements supplied by the Tuya IoT platform,
• patches for the Mestic App if they impact the secure operation of the smart products.

Updates may address issues relating to:

• encryption,
• authentication,
• connectivity,
• device firmware security,
• app-to-device communication.

4. How Security Updates Are Delivered

4.1 Device Firmware Updates

Smart products firmware updates are delivered through the Tuya-based OTA (Over-The-Air) update mechanism.
Updates are installed via the Mestic App when:

• the smart product is powered on,
• it is connected via Bluetooth or Wi-Fi (depending on model), and
• an update is available.

Users will receive an in-app notification prompting them to install available updates.

4.2 App Updates

Security updates for the Mestic App are delivered through:

• Apple App Store (iOS)
• Google Play Store (Android)

Users should keep the app updated to ensure secure operation.

5. Vulnerability Reporting

Mestic welcomes reports from security researchers, customers and partners.

To report a security vulnerability in a Mestic smart product or in the Mestic App, please use our Vulnerability Disclosure page or our contact email: info@mestic.com.

Mestic will:

• acknowledge receipt within 24 hours
• investigate the report,
• coordinate remediation where valid, and
• provide follow-up communication to the reporter.

6. Patch Response Process

When a vulnerability is confirmed:

1. Severity and risk are assessed.
2. A fix is developed by Mestic and/or Tuya (depending on the component affected).
3. The fix is tested for stability and safety.
4. A security update is released through the OTA system or the Mestic App.
5. Users are notified through the app and/or website.

Critical vulnerabilities are prioritised for the fastest possible resolution.

7. End of Support

When the defined support period ends:

• the product will no longer receive security updates,
• users will be informed via the Mestic website,
• continued use may pose increased security risks,
• users will be advised to disconnect the device from networks if appropriate.

8. Transparency

All required PSTI information — including the support end date and contact details for security reporting — will be:

• freely accessible,
• published in English,
• easy to understand,
• available without registration or request.

9. Changes to This Policy

If this policy is updated, the revised version will be published on this page and will apply immediately. Customers are encouraged to check this page for the latest version.