Security and privacy, by design.
Merrily connects to the tools you already run, so protecting the data you entrust to us is a first-order design constraint. This is where you can review our security posture, compliance status, and the documents your security team needs.
Last updated July 2026
Merrily is pre-GA and pre-audit. We are building to be substantively compliant with the SOC 2 Trust Services Criteria before any production customer data lands, and we will engage an independent CPA firm for a Type I, then a Type II, examination. We do not describe Merrily as SOC 2 certified or compliant, because that would not be accurate yet. We are glad to share our architecture, a completed security questionnaire, and our remediation roadmap under NDA.
Where we stand.
An honest snapshot of our frameworks and commitments.
SOC 2
In progressBuilt to the SOC 2 Trust Services Criteria. Pre-audit today; a Type I, then Type II, examination with an independent CPA firm is planned. We do not claim a report yet.
GDPR & CCPA
SupportedA standard Data Processing Addendum with EU Standard Contractual Clauses and the UK addendum is available to every customer.
Privacy
PublishedA public privacy notice and a current, versioned subprocessor list with the legal entity and region for each.
AWS infrastructure
InheritedRuns on Amazon Web Services, whose data centers are independently audited to SOC 1/2/3 and ISO 27001.
The controls behind the product.
Every item below is a control we operate today. The handful of things still in flight are listed separately, so this list stays true.
Data protection
- TLS 1.2+ encryption for all data in transit
- Connector credentials sealed with per-tenant AWS KMS envelope encryption
- Credentials cryptographically shredded when a source is disconnected
- Contract files encrypted at rest with AWS KMS (SSE-KMS)
- Strict logical multi-tenant isolation, regression-tested on every build
- Read-only, least-privilege access to every connected source
Access & identity
- Single sign-on via AWS IAM Identity Center
- Multi-factor authentication enforced for every team member
- Least-privilege IAM roles, scoped per workload
- Keyless deploys using short-lived federated (OIDC) credentials
- Account password policy; root access key removed (break-glass only)
Infrastructure & availability
- Hosted on AWS in the United States (us-east-2)
- Multi-AZ production database with automatic failover
- Automated backups with an immutable, cross-region copy
- Database deletion protection and final snapshots
- Durable, resumable workflow orchestration for data syncs
Monitoring & logging
- Account-wide audit logging with AWS CloudTrail
- Continuous threat detection with Amazon GuardDuty
- Configuration monitoring with AWS Config and Security Hub
- Container and image vulnerability scanning with Amazon Inspector
- VPC flow logs and metric alarms with alerting
- An append-only, in-application audit trail
Application & product security
- Every change ships through a peer-reviewed pull request and CI
- Automated dependency and vulnerability scanning in the pipeline
- Hardened authentication (one-time-code login with throttling)
- Hashed, scoped API keys and HMAC-verified webhooks
- Parameterized queries and GraphQL depth and complexity limits
Privacy & data handling
- Published privacy notice and versioned subprocessor list
- Standard Data Processing Addendum with EU Standard Contractual Clauses
- Data classification and retention policies
- We never use your connected data to train shared or third-party models
- A documented process for data-subject access and deletion requests
Governance & people
- A written information security policy set (20+ policies)
- A maintained risk register with annual and change-driven review
- An incident response plan with a breach-notification commitment
- A designated Security Officer accountable for the program
- A vendor and subprocessor risk-review program
- A security awareness training program for the team
On our near-term roadmap
In the interest of transparency, these controls are not yet in place. We are actively closing them before general availability.
Documents and resources.
Public commitments are linked below. Detailed security material is available to customers and prospects under NDA.
Public
Available under NDA
Gated- Information security policy setThe full written policy library.
- Architecture & data-flow overviewSystem boundary, components, and trust boundaries.
- Security questionnaire (CAIQ / SIG)A completed, standardized assessment.
- Penetration test summaryAvailable once our first independent test completes.
- SOC 2 reportAvailable once our examination completes.
Or email [email protected].
Talk to our security team
Running a vendor security review, or have a question this page did not answer? We are happy to complete questionnaires and share evidence under NDA.
[email protected]Report a vulnerability
We welcome reports from security researchers. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. See our security.txt for our disclosure contact.
Disclose to [email protected]Start your security review.
Request access to our policies, architecture overview, and a completed security questionnaire under NDA.