Integrations for GDPR-compliant companies
At Merge, data protection is top priority – and has been from the beginning.
While the GDPR only governs data protection in the EU, Merge recognizes that the obligations set by the GDPR are the world’s strongest set of data protection directives and as such, Merge chooses to implement these for all data transfers, regardless of geography.
Merge is committed to supporting our growing European customer base
- 30% of Merge customers are based in Europe
- Global offices in NYC, SF, and Berlin
- Merge supports a wide range of European software integrations
Data localization and transfer
Merge puts in place a DPA (data processing agreement) with all customers, whereby Merge commits to processing data transfers in accordance with GDPR’s Standard Contractual Clauses. In addition, Merge offers Customers control over where their data is stored.
EU tenants
If the customer selects our EU multi-tenant environment, data will only be stored in the EU in Stockholm.
Single-tenant environments
Single-tenant environments available for purchase as part of an annual plan if an additional level of security is desired. You receive your own servers and databases, and though Merge manages your data, it is fully separated from that of other Merge customers.
Data minimization
Merge offers several features that give Customers greater control over the data that is shared.
Scopes
Scopes offers the ability to request only the data models and fields that are needed.
Selective Sync
Selective Sync offers the ability to filter data for enabled models and fields; this functionality is dependent on third-party support for filters as well as Merge-provided filter coverage, which we are continuously expanding.
Redact unmapped data
Merge provides the ability to extend our common models while also respecting the data access and privacy terms your customers have agreed to by redacting unused data.
If you use another unified API provider, you have to choose between the following:
- Limit your data to the providers' common model
- Extend the providers' common model but face the potential risk of litigation, fines, customer churn, lost deals, etc. due to violating data terms
Data access and erasure
Merge offers several features that provide individuals with the means to control their personal data.
Data deletion via ignore endpoint
If someone has requested that their personal data not be transferred, this functionality allows you to ignore a specific data subject, while continuing to pull others.
Linked Account deletion
When a Linked Account is deleted, all data associated with that Linked Account is also deleted from Merge. Merge enables the deletion of a Linked Account in both the Merge Dashboard and also via API.
Accountability and compliance
Consistent with GDPR’s core value of Accountability, Merge keeps detailed records of data processing activities and implements appropriate security measures to protect data.
Audit trail
Merge offers Enterprise Customers access to our audit trail, which provides a record of activities and actions taken by users within Merge. Audit trail facilitates transparency and accountability across your operations. Merge is currently the only Unified API that offers this feature.
SSO with SAML
Merge is compatible with Single Sign-On (SSO) with Security Assertion Markup Language (SAML), allowing organizations to control which of their internal users have access to the Merge dashboard and enforce organizational access policies.
Data Encryption
Merge encrypts all data at rest and in-transit. All our data is stored in AWS, and is encrypted using the AES-256 encryption algorithm. Data is not allowed to be stored on external media, and production data is never moved out of production environments. Additionally, we enforce strict access controls internally for customer data, including enforcing Purpose-based access control in addition to Role-based control for each instance of access to customer data. More details around our security and data protection policies are available at trust.merge.dev.
How deskbird uses Merge’s European-focused HRIS integrations to expand across the continent
“Through Merge, we’ve been able to provide HRIS integrations that exceed our European-based customers’ security requirements.”