Security & Trust
How can you trust us
with your data?
The most important question we get asked. This page is the long-form, no-bullshit answer: exactly what data MergeWhy reads, exactly where it lives, exactly which deployment model matches your risk tolerance.
Last updated · April 26, 2026
01 · WHAT WE READ
Exactly what MergeWhy accesses on your GitHub
MergeWhy uses read-only GitHub App scopes. We have no write access to your repositories — we cannot push code, change settings, modify reviews, or merge PRs.
| Data | We read | We store |
|---|---|---|
| PR title, description, author, labels | Yes | Yes |
| Reviews, approvals, comments | Yes | Yes |
| Linked tickets (Jira / Linear / GitHub Issues) | Yes | Yes (refs only) |
| CI check runs, statuses, durations | Yes | Yes |
| File list changed in PR + commit SHAs | Yes | Yes |
| Source code diffs / file contents | On-demand at bundle time | No (not persisted) |
| Repo settings, secrets, or branch protection | No | No |
| Write access to push, merge, or modify | No | No |
Our GitHub App permission manifest is published in the docs. You can audit it before installing.
02 · WHERE IT LIVES
Architecture & data flow
Your GitHub
PRs merge as normal
MergeWhy webhook
Read-only event ingestion
Evidence vault
SHA-256 + Ed25519, encrypted at rest
Anthropic Claude
AI analysis (zero-retention API, optional)
↗ optional
Compliance engines
12 frameworks evaluated
Auditor-ready bundle
ZIP + OSCAL + portal access
- Single-tenant logical isolation. Your organization's data is row-level segregated by
organizationIdon every query. No cross-tenant joins exist in our codebase. - Encrypted at rest. PostgreSQL with AES-256 encryption. TLS 1.3 in transit.
- Hosted on AWS (us-east-1). ECS containers, no shell access in production.
- Evidence vault is tamper-evident.Every sealed record is SHA-256 hashed and Ed25519 signed. Modifying a single byte after seal time breaks the signature — even MergeWhy can't silently alter your evidence.
- Audit logs for every action. Every read, write, and admin operation on your data is logged immutably. We can produce a full access trail on request.
03 · YOUR DEPLOYMENT, YOUR CALL
Three deployment models
Pick the one that matches your risk tolerance. They all use the same product — only the trust boundary changes.
MOST COMMON
SaaS
We host, you install in 30s
- Where data lives
- In our AWS (us-east-1)
- Network boundary
- Crosses internet (TLS 1.3)
- Best for
- Series A→C SaaS startups and SOC 2 / SOX teams comfortable with a standard SaaS trust boundary
REGULATED
Self-hosted Docker
Runs in your VPC
- Where data lives
- In your network (you choose Postgres)
- Network boundary
- Stays inside your perimeter
- Best for
- HIPAA, FedRAMP-aspirant, fintech with strict data residency. Helm chart + Docker Compose.
DEFENSE / AIR-GAPPED
Open-source collector
Agent inside your network
- Where data lives
- Source + PR text never leaves; only signed scores transmitted
- Network boundary
- Outbound-only HTTPS (signed payloads)
- Best for
- DoD contractors, defense, classified environments. Open-source Docker agent.
04 · WHAT WE'RE STRAIGHT ABOUT
Three things you should know before signing
We'd rather you find these on this page than in your security review. Honesty is cheaper than churn.
MergeWhy is not SOC 2 Type II certified yet
We're a 2026-founded startup. Our own SOC 2 audit is in progress (target: Q3 2026, using our own product to capture the evidence — yes, recursively). Until then: read-only GitHub scopes, no write access, encryption at rest, single-tenant logical isolation, immutable audit logs. We'll send our SIG-Lite questionnaire on request.
The AI analysis feature sends PR text to Anthropic Claude
When AI mode is on, PR descriptions and ticket summaries are sent to Anthropic's zero-retention API for risk grading and intent matching. You can disable AI mode in settings — the product falls back to deterministic rule-based scoring with no third-party data flow. For air-gapped customers we recommend the open-source collector (no AI dependency).
We don't have a 24/7 SOC team
We're a small team. We monitor the production stack with PagerDuty + Datadog and respond within 1 hour. If you need a 99.99 SLA with on-call human eyes around the clock today, you're too early for us — pick the self-hosted deployment so your own SRE owns it.
05 · OUR OWN COMPLIANCE ROADMAP
We get our own audit
Q2 2026
SIG-Lite + DPA published
DONE
Available on request — email below.
Q2 2026
SOC 2 Type I — readiness assessment kicked off
IN PROGRESS
Auditor selection in progress.
Q3 2026
SOC 2 Type II audit window opens
PLANNED
Six-month observation window. Evidence captured by MergeWhy itself.
Q1 2027
SOC 2 Type II report issued
PLANNED
Will be linked here when complete.
Q1 2027
ISO 27001 audit kicks off
PLANNED
Targeted for Q3 2027 certificate.
Need our security questionnaire before our call?
We'll send our SIG-Lite, DPA, sub-processor list, and architecture one-pager so your security team can review it asynchronously. Most reviews take us less than 48 hours.
Questions? security@mergewhy.com (or just email Dheeraj directly)