MergeWhy

Pricing

Transparent pricing.
No surprises.

Start with a 14-day free trial on any plan. No credit card required. Cancel anytime.

MonthlyAnnual

Starter

For small teams getting audit-ready

$299/month

$249/mo billed annually

Start Free Trial
  • Up to 5 repositories
  • Up to 20 engineers
  • 2 compliance frameworks
  • GitHub + Jira integrations
  • Evidence vault (SHA-256 sealed)
  • AI evidence analysis
  • Gap detection & scoring
  • 30-day evidence history
  • Email support
  • Slack integration
  • Audit bundle generation
  • OSCAL export
  • Self-hosted deployment
Most Popular

Growth

For scaling engineering teams

$999/month

$833/mo billed annually

Start Free Trial
  • Unlimited repositories
  • Up to 100 engineers
  • All 14 compliance frameworks
  • GitHub + Jira + Slack integrations
  • Evidence vault (SHA-256 sealed)
  • AI evidence analysis
  • Gap detection & scoring
  • 90-day evidence history
  • Priority support
  • Slack integration
  • Audit bundle generation
  • OSCAL export
  • Self-hosted deployment

Enterprise

For federal, healthcare & finance

Custom

Starting at $50K/year

Contact Sales
  • Unlimited repositories
  • Unlimited engineers
  • All 14 compliance frameworks
  • All integrations + custom
  • Evidence vault (SHA-256 sealed)
  • AI evidence analysis
  • Gap detection & scoring
  • Unlimited evidence retention
  • Dedicated CSM + SLA
  • Slack integration
  • Audit bundle generation
  • OSCAL export (FedRAMP 20x)
  • Self-hosted deployment (OIDC + S3)

What makes each plan unique

14 Frameworks

SOC 2, FedRAMP, CMMC, HIPAA, DORA, ISO 27001, NIST, PCI-DSS, SOX, and GDPR. Growth and Enterprise include all 14.

Cryptographic Vault

Every evidence record is SHA-256 sealed at merge time. Tamper-proof by design. Included on all plans.

OSCAL Export

Generate FedRAMP 20x ready OSCAL packages (SSP, Assessment Results, POA&M). Enterprise only.

Self-Hosted

Deploy on your infrastructure with OIDC auth, S3 storage, and Docker/Kubernetes. Enterprise only.

Frequently asked questions

How does the 14-day free trial work?

Sign up, connect GitHub, and start capturing evidence immediately. No credit card required. After 14 days, choose a plan or continue with limited features.

What compliance frameworks are included?

MergeWhy supports 14 frameworks: SOC 2, FedRAMP, CMMC L1/L2/L3, HIPAA, DORA, ISO 27001, NIST 800-53, PCI-DSS, SOX ITGC, SOX 404, and GDPR. Starter plans include 2 frameworks; Growth and Enterprise include all 14.

Do you support self-hosted deployment?

Yes. Enterprise plans include self-hosted deployment with Docker/Kubernetes, OIDC authentication (Okta, Azure AD, Keycloak), and S3-compatible storage. Your evidence never leaves your infrastructure.

What is OSCAL export and why do I need it?

OSCAL is the NIST standard for machine-readable compliance documents. FedRAMP 20x (Sept 2026 deadline) mandates OSCAL-formatted authorization packages. MergeWhy generates SSP, Assessment Results, and POA&M documents automatically from your evidence data.

How is MergeWhy different from Vanta or Drata?

Vanta and Drata are pull-based — they periodically gather evidence and still require 30-40% manual work. MergeWhy captures evidence automatically at merge time, seals it with SHA-256 cryptography, and works natively in your GitHub workflow. Zero manual evidence collection.

Is there a discount for open-source projects?

Yes. Open-source projects qualify for a free community license with all Growth features. Contact us with your project details.

Ready to start?

14 days free. No credit card.

Connect GitHub and see compliance evidence captured automatically from your first PR merge.

Get Started FreeTalk to sales