Mergify is GDPR compliant We provide our users control over the data they share and relies on Standard Contractual Clauses (SCCs) and extends them to all of our customers.

Mergify provides a high standard of privacy protection to all developers and customers.We do this through significant investments in platform security, incident response, and anti-abuse.

Mergify offers AICPA System and Organization Controls (SOC) SOC 2 Type 2 reports. Ask access your customer representative to access them.

Security is a shared responsibilities. Mergify provides support to its customers' security and risk teams. We partner with procurement teams to provide information needed to determine risks and understand our compliance and security posture.

We invest in secure software design practices. We embed security expertise and capabilities into every phase of our Software Development Lifecycle. Through developer training, the creation of components that form a secure foundation to build on, automated code analysis, in-depth threat modeling, and security code review and testing, we prevent vulnerabilities as early as possible in the development lifecycle.

Mergify runs a bug bounty program where security researcher can report any vulnerability they find. While the program is currently private, you can request an invitation to report any security issue you discovered.