Pricing

Transparent pricing.
No surprises.

Start with a 14-day free trial on any plan. No credit card required. Cancel anytime.

MonthlyAnnual

Starter

For small teams getting audit-ready

$299/month

$249/mo billed annually

Start Free Trial

Up to 5 repositories
Up to 20 engineers
2 compliance frameworks
GitHub + Jira integrations
Evidence vault (SHA-256 sealed)
AI evidence analysis
Gap detection & scoring
30-day evidence history
Email support
Slack integration
Audit bundle generation
OSCAL export
Self-hosted deployment

Growth

For scaling engineering teams

$999/month

$833/mo billed annually

Start Free Trial

Unlimited repositories
Up to 100 engineers
All 15 compliance frameworks
GitHub + Jira + Slack integrations
Evidence vault (SHA-256 sealed)
AI evidence analysis
Gap detection & scoring
90-day evidence history
Priority support
Slack integration
Audit bundle generation
OSCAL export
Self-hosted deployment

Enterprise

For federal, healthcare & finance

Custom

Starting at $50K/year

Contact Sales

Unlimited repositories
Unlimited engineers
All 15 compliance frameworks
All integrations + custom
Evidence vault (SHA-256 sealed)
AI evidence analysis
Gap detection & scoring
Unlimited evidence retention
Dedicated CSM + SLA
Slack integration
Audit bundle generation
OSCAL export (FedRAMP 20x)
Self-hosted deployment (OIDC + S3)

What makes each plan unique

15 Frameworks

SOC 2, FedRAMP (Low/Mod/High), CMMC L1/L2/L3, HIPAA, DORA, ISO 27001, ISO 27701, NIST 800-53, PCI-DSS, SOX ITGC, SOX 404, and GDPR. Growth and Enterprise include all 15.

Cryptographic Vault

Every evidence record is SHA-256 sealed at merge time. Tamper-proof by design. Included on all plans.

OSCAL Export

Generate FedRAMP 20x ready OSCAL packages (SSP, Assessment Results, POA&M). Enterprise only.

Self-Hosted

Deploy on your infrastructure with OIDC auth, S3 storage, and Docker/Kubernetes. Enterprise only.

Frequently asked questions

How does the 14-day free trial work?

Sign up, connect GitHub, and start capturing evidence immediately. No credit card required. After 14 days, choose a plan or continue with limited features.

What compliance frameworks are included?

MergeWhy supports 15 frameworks including SOC 2, FedRAMP (Low/Mod/High), CMMC L1/L2/L3, HIPAA, DORA, ISO 27001, ISO 27701, NIST 800-53, PCI-DSS, SOX ITGC, SOX 404, and GDPR. Starter plans include 2 frameworks; Growth and Enterprise include all 15.

Do you support self-hosted deployment?

Yes. Enterprise plans include self-hosted deployment with Docker/Kubernetes, OIDC authentication (Okta, Azure AD, Keycloak), and S3-compatible storage. Your evidence never leaves your infrastructure.

What is OSCAL export and why do I need it?

OSCAL is the NIST standard for machine-readable compliance documents. FedRAMP 20x (Sept 2026 deadline) mandates OSCAL-formatted authorization packages. MergeWhy generates SSP, Assessment Results, and POA&M documents automatically from your evidence data.

How is MergeWhy different from cloud posture tools?

Cloud posture tools periodically scan your infrastructure but don't capture change-level evidence. MergeWhy captures evidence automatically at merge time — reviews, approvals, tickets, CI results — seals it with SHA-256 cryptography, and evaluates each change against 15 compliance frameworks. Zero manual evidence collection.

Is there a discount for open-source projects?

Yes. Open-source projects qualify for a free community license with all Growth features. Contact us with your project details.

Ready to start?

14 days free. No credit card.

Connect GitHub and see compliance evidence captured automatically from your first PR merge.

Get Started Free Talk to sales

Transparent pricing.No surprises.