Integrations for GDPR-compliant companies

At Merge, data protection is top priority –  and has been from the beginning.

While the GDPR only governs data protection in the EU, Merge recognizes that the obligations set by the GDPR are the world’s strongest set of data protection directives and as such, Merge chooses to implement these for all data transfers, regardless of geography.

Trusted to power integrations at top European companies

Merge is committed to supporting our growing European customer base

  • 30% of Merge customers are based in Europe
  • Global offices in NYC, SF, and Berlin
  • Merge supports a wide range of European software integrations

Data localization and transfer

Merge puts in place a DPA (data processing agreement) with all customers, whereby Merge commits to processing data transfers in accordance with GDPR’s Standard Contractual Clauses. In addition, Merge offers Customers control over where their data is stored.

EU tenants

If the customer selects our EU multi-tenant environment, data will only be stored in the EU in Stockholm.

Single-tenant environments

Single-tenant environments available for purchase as part of an annual plan if an additional level of security is desired. You receive your own servers and databases, and though Merge manages your data, it is fully separated from that of other Merge customers.

Data minimization

Merge offers several features that give Customers greater control over the data that is shared.

Scopes

Scopes offers the ability to request only the data models and fields that are needed.

Selective Sync

Selective Sync offers the ability to filter data for enabled models and fields; this functionality is dependent on third-party support for filters as well as Merge-provided filter coverage, which we are continuously expanding.

Redact unmapped data

Merge provides the ability to extend our common models while also respecting the data access and privacy terms your customers have agreed to by redacting unused data.

If you use another unified API provider, you have to choose between the following:

  • Limit your data to the providers' common model
  • Extend the providers' common model but face the potential risk of litigation, fines, customer churn, lost deals, etc. due to violating data terms

Data access and erasure

Merge offers several features that provide individuals with the means to control their personal data.

Data deletion via ignore endpoint

If someone has requested that their personal data not be transferred, this functionality allows you to ignore a specific data subject, while continuing to pull others.

Linked Account deletion

When a Linked Account is deleted, all data associated with that Linked Account is also deleted from Merge. Merge enables the deletion of a Linked Account in both the Merge Dashboard and also via API.

Accountability and compliance

Consistent with GDPR’s core value of Accountability, Merge keeps detailed records of data processing activities and implements appropriate security measures to protect data.

GDPR and ISO 27001

Audit trail

Merge offers Enterprise Customers access to our audit trail, which provides a record of activities and actions taken by users within Merge. Audit trail facilitates transparency and accountability across your operations. Merge is currently the only Unified API that offers this feature.

SSO with SAML

Merge is compatible with Single Sign-On (SSO) with Security Assertion Markup Language (SAML), allowing organizations to control which of their internal users have access to the Merge dashboard and enforce organizational access policies.

Data Encryption

Merge encrypts all data at rest and in-transit. All our data is stored in AWS, and is encrypted using the AES-256 encryption algorithm. Data is not allowed to be stored on external media, and production data is never moved out of production environments. Additionally, we enforce strict access controls internally for customer data, including enforcing Purpose-based access control in addition to Role-based control for each instance of access to customer data. More details around our security and data protection policies are available at trust.merge.dev.

How deskbird uses Merge’s European-focused HRIS integrations to expand across the continent

Read case study

Through Merge, we’ve been able to provide HRIS integrations that exceed our European-based customers’ security requirements.”

Ilija Bozic
Senior Product Manager