Security and Privacy


Merge is designed from the ground up to safeguard your customer data in accordance with the industry’s highest standards of security and privacy.

Cyber Secured

Data security at the highest level of industry standards


Fault-tolerant infrastructure ensures availability even during extreme demand.

Data Centers

All data is secured in US-based Amazon Web Services (AWS) datacenters with enterprise-grade physical and network security.


Data is encrypted at rest and in transit, and PII is protected with an additional layer of application encryption.

Defense in Depth

Merge maintains separate networks for webservers and databases, detects and logs access to systems, and grants unique credentials for each employee and tool.

Shift Left

Our developers are proactive when it comes to security and use both DAST and SAST security scanning tools.

Penetration Testing

Our security team conducts penetration testing every year and an automated scan on a weekly basis.


SOC 2 Type 2 Compliant

Merge's SOC 2 Type 2 compliance program is an industry-standard framework attesting that the company's internal controls and processes continue to meet and exceed requirements in securing customer data and ensuring the availability of our product infrastructure.If you are a customer (current or prospective) and wish to review our SOC 2 Type 2 report, please contact your account representative.

Active Defense

Bug Bounty and Vulnerability Disclosure

Merge maintains a vulnerability disclosure program on approved asset scopes.

You can contact us for more information or report vulnerabilites to

By submitting a security bug or vulnerability to Merge, you acknowledge that you agree to all VDP policies and may not disclose publicly or to any third-parties the findings of any security research without Merge's prior written approval.