.svg){kind=small}
Security and Privacy
Security and compliance are at our core
Merge is designed from the ground up to safeguard your customer data in accordance with the industry’s highest standards of security and privacy
Security and Privacy
Delivering world-class security and privacy standards
At Merge, data protection is top priority — and has been from the very beginning. It’s why we protect your data with trusted infrastructure, rigorous auditing, and best-in-class certifications.
Uptime
Fault-tolerant infrastructure ensures availability even during extreme demand
Encryption
Data is encrypted at rest and in transit, and PII is protected with an additional layer of application encryption
Data centers
All data is secured in Amazon Web Services (AWS) data centers with enterprise-grade physical and network security
Defense in depth
Merge maintains separate networks for webservers and databases, detects and logs access to systems, and grants unique credentials for each employee and tool
Shift left
Our developers are proactive when it comes to security and use both DAST and SAST security scanning tools
Penetration testing
Our security team conducts penetration testing every year and automated scans on a weekly basis
Compliance frameworks
Merge adheres to industry-standard compliance frameworks, including SOC 2 Type II, ISO 27001, HIPAA, GDPR, and CCPA
Enterprise-level Security & Privacy
Designed with your security needs in mind
Merge is built with features to meet and exceed your enterprise security and privacy needs
Data minimization
Meaningfully control and limit what data is shared
Scopes
Set precise scopes to sync only what’s needed, respecting your customers’ data privacy
Selective Sync
Configure data synced to Merge based on third-party fields and parameters
Redact unmapped data
Redact data from third-party unmapped fields to hide sensitive data from logs and remote data
Data access and erasure
Seamlessly delete any data at any time
Data deletion via ignore endpoint
Exclude accessing specific individuals' personal data, while continuing to pull others
Linked Account deletion
When a Linked Account is deleted, all data associated with that account is also deleted from Merge
Accountability and compliance
Automatically keep detailed records of data processing activities and easily restrict access to Merge
Audit trail
Full transparency and accountability for all user actions in the Merge Dashboard
SSO with SAML
Compatible with Single Sign-On (SSO) with Security Assertion Markup Language (SAML), control access to the Merge dashboard and enforce organizational policies
Role-based access control
Restrict what type of access Merge users have based on their assigned role
Data residency and transfer
Confidently meet data residency requirements
Multi-tenants
Choose to store data in Amazon Web Services (AWS) datacenters with enterprise-grade physical and network security in the US, EU, and/or APAC-based regions
Single-tenants
Receive your own servers and databases that are fully separated from other Merge customers
Active Defense
Bug bounty and vulnerability disclosure
Merge maintains a vulnerability disclosure program on approved asset scopes.
You can contact us for more information or report vulnerabilities to security@merge.dev.
By submitting a security bug or vulnerability to Merge, you acknowledge that you agree to all VDP policies and may not disclose publicly or to any third-parties the findings of any security research without Merge's prior written approval.
.svg){kind=icon}
