MergeGuide
← Back to home
Security & Trust

Security is the product.

MergeGuide exists to help teams ship secure, compliant code, so we hold our own systems to the same standard. Here's how we approach security and data protection, and how to reach us if you find something.

Our approach

Practical security, built in from the start.

TLS

Encryption in transit

All traffic to MergeGuide (the website, the API, and the dashboard) is served exclusively over TLS (HTTPS). We don't accept unencrypted connections.

CLD

Reputable cloud infrastructure

MergeGuide runs on established cloud providers (AWS and Vercel) in US regions. Our current sub-processors are listed publicly on our Sub-Processors page.

MIN

Data minimization

We collect only what's needed to deliver the product. Policy evaluation is designed to surface findings without retaining more of your source code than necessary. See our Privacy Policy for details.

AUTH

Access control

Access to production systems is limited to authorized personnel and protected by multi-factor authentication. Customer accounts support SSO/SCIM on the Enterprise plan.

EVD

Signed evidence

The platform produces cryptographically signed evidence for governed pull requests, so compliance artifacts are tamper-evident and verifiable rather than self-asserted.

DOG

We use our own product

MergeGuide governs the code that builds MergeGuide. Our security and compliance policies are enforced at the moment our own engineers (and their AI assistants) write code.

Compliance

Working toward SOC 2 Type II.

We are actively pursuing a SOC 2 Type II examination with an independent auditor. SOC 2 is in progress and not yet complete. We'd rather tell you exactly where we stand than imply a certification we don't hold.

MergeGuide is built around the same frameworks our customers are accountable to: SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST 800-53, the EU AI Act and more. Explore how the product maps to them on our Compliance page.

Current status

  • SOC 2 Type II: in progress
  • TLS everywhere: in place
  • Public sub-processor list: published
  • Responsible disclosure program: open (see below)
  • Service status: status page

Need security documentation for vendor review? Email security@mergeguide.ai.

Responsible disclosure

Found a vulnerability? Tell us.

We welcome reports from security researchers and treat them as a priority. If you believe you've found a security issue in MergeGuide, please let us know before disclosing it publicly.

How to report

Email security@mergeguide.ai with:

  • A description of the issue and its impact
  • Clear steps to reproduce (proof-of-concept welcome)
  • Any affected URLs, accounts, or versions

Our commitment

  • We acknowledge reports within 3 business days
  • We'll keep you updated as we investigate and remediate
  • We won't pursue legal action for good-faith research that respects the guidelines below

Good-faith guidelines

Please avoid privacy violations, data destruction, and service degradation. Don't access or modify data that isn't yours, and give us a reasonable window to remediate before any public disclosure. Test only against your own accounts. We don't currently run a paid bug-bounty program, but we're grateful for responsible reports and happy to credit researchers who'd like recognition.

Questions about security or compliance?

Whether you're evaluating MergeGuide or reviewing us as a vendor, we're glad to help.

Email security@mergeguide.ai Contact sales