Trust Center

Security and privacy, by design.

Merrily connects to the tools you already run, so protecting the data you entrust to us is a first-order design constraint. This is where you can review our security posture, compliance status, and the documents your security team needs.

SOC 2·In progressGDPR & CCPA·SupportedPrivacy·PublishedAWS infrastructure·Inherited
View subprocessors

Last updated July 2026

Merrily is pre-GA and pre-audit. We are building to be substantively compliant with the SOC 2 Trust Services Criteria before any production customer data lands, and we will engage an independent CPA firm for a Type I, then a Type II, examination. We do not describe Merrily as SOC 2 certified or compliant, because that would not be accurate yet. We are glad to share our architecture, a completed security questionnaire, and our remediation roadmap under NDA.

Compliance

Where we stand.

An honest snapshot of our frameworks and commitments.

SOC 2

In progress

Built to the SOC 2 Trust Services Criteria. Pre-audit today; a Type I, then Type II, examination with an independent CPA firm is planned. We do not claim a report yet.

GDPR & CCPA

Supported

A standard Data Processing Addendum with EU Standard Contractual Clauses and the UK addendum is available to every customer.

Privacy

Published

A public privacy notice and a current, versioned subprocessor list with the legal entity and region for each.

AWS infrastructure

Inherited

Runs on Amazon Web Services, whose data centers are independently audited to SOC 1/2/3 and ISO 27001.

Security

The controls behind the product.

Every item below is a control we operate today. The handful of things still in flight are listed separately, so this list stays true.

Data protection

  • TLS 1.2+ encryption for all data in transit
  • Connector credentials sealed with per-tenant AWS KMS envelope encryption
  • Credentials cryptographically shredded when a source is disconnected
  • Contract files encrypted at rest with AWS KMS (SSE-KMS)
  • Strict logical multi-tenant isolation, regression-tested on every build
  • Read-only, least-privilege access to every connected source

Access & identity

  • Single sign-on via AWS IAM Identity Center
  • Multi-factor authentication enforced for every team member
  • Least-privilege IAM roles, scoped per workload
  • Keyless deploys using short-lived federated (OIDC) credentials
  • Account password policy; root access key removed (break-glass only)

Infrastructure & availability

  • Hosted on AWS in the United States (us-east-2)
  • Multi-AZ production database with automatic failover
  • Automated backups with an immutable, cross-region copy
  • Database deletion protection and final snapshots
  • Durable, resumable workflow orchestration for data syncs

Monitoring & logging

  • Account-wide audit logging with AWS CloudTrail
  • Continuous threat detection with Amazon GuardDuty
  • Configuration monitoring with AWS Config and Security Hub
  • Container and image vulnerability scanning with Amazon Inspector
  • VPC flow logs and metric alarms with alerting
  • An append-only, in-application audit trail

Application & product security

  • Every change ships through a peer-reviewed pull request and CI
  • Automated dependency and vulnerability scanning in the pipeline
  • Hardened authentication (one-time-code login with throttling)
  • Hashed, scoped API keys and HMAC-verified webhooks
  • Parameterized queries and GraphQL depth and complexity limits

Privacy & data handling

  • Published privacy notice and versioned subprocessor list
  • Standard Data Processing Addendum with EU Standard Contractual Clauses
  • Data classification and retention policies
  • We never use your connected data to train shared or third-party models
  • A documented process for data-subject access and deletion requests

Governance & people

  • A written information security policy set (20+ policies)
  • A maintained risk register with annual and change-driven review
  • An incident response plan with a breach-notification commitment
  • A designated Security Officer accountable for the program
  • A vendor and subprocessor risk-review program
  • A security awareness training program for the team

On our near-term roadmap

In the interest of transparency, these controls are not yet in place. We are actively closing them before general availability.

Encryption at rest for the primary database
A web application firewall and fully private networking
An independent third-party penetration test
A SOC 2 Type I examination, followed by Type II
Resources

Documents and resources.

Public commitments are linked below. Detailed security material is available to customers and prospects under NDA.

Available under NDA

Gated
  • Information security policy setThe full written policy library.
  • Architecture & data-flow overviewSystem boundary, components, and trust boundaries.
  • Security questionnaire (CAIQ / SIG)A completed, standardized assessment.
  • Penetration test summaryAvailable once our first independent test completes.
  • SOC 2 reportAvailable once our examination completes.

Or email [email protected].

Talk to our security team

Running a vendor security review, or have a question this page did not answer? We are happy to complete questionnaires and share evidence under NDA.

[email protected]

Report a vulnerability

We welcome reports from security researchers. Please give us a reasonable opportunity to investigate and remediate before any public disclosure. See our security.txt for our disclosure contact.

Disclose to [email protected]

Start your security review.

Request access to our policies, architecture overview, and a completed security questionnaire under NDA.