Terms of Service

By creating an account, accessing, or using the Service, you acknowledge that you have read, understood, and agree to be bound by these Terms and our Privacy Policy. If you are using the Service on behalf of an organization, you represent and warrant that you have the authority to bind that organization to these Terms.

We may update these Terms from time to time. We will notify you of material changes by email or through the Service. Your continued use of the Service after such changes constitutes acceptance of the updated Terms.

MergeWhy is a compliance evidence platform that automatically captures, analyzes, and preserves evidence from software development workflows. The Service includes:

• Decision Evidence Records (DERs) — Automated capture of the rationale, evidence, and context behind every code change at merge time.
• Compliance evaluation — Mapping of evidence to regulatory frameworks including SOC 2, FedRAMP, CMMC, HIPAA, DORA, and others.
• Evidence vault — Cryptographic sealing (SHA-256) of compliance evidence to create tamper-proof audit records.
• AI-powered analysis — Automated risk assessment, audit narrative generation, and scope creep detection using large language models.
• Integrations — Connections to GitHub, Jira, and Slack for evidence enrichment and notifications.
• Audit bundles — Packaged compliance documentation ready for auditor review.

To use the Service, you must create an account. For SaaS deployments, authentication is managed through Clerk, which supports email, social login, and enterprise SSO. For self-hosted deployments, authentication is handled by your organization's identity provider via OIDC.

The Service supports organizational accounts with role-based access control. Account administrators are responsible for managing team membership, role assignments, and organizational settings. You are responsible for maintaining the security of your account credentials and for all activities that occur under your account.

You agree to provide accurate and complete information when creating your account and to keep your account information up to date.

You agree not to:

• Use the Service for any unlawful purpose or in violation of any applicable laws or regulations.
• Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Service.
• Scrape, crawl, or use automated means to access the Service beyond what is provided through our official API.
• Interfere with or disrupt the integrity or performance of the Service or its infrastructure.
• Attempt to gain unauthorized access to the Service, other accounts, or systems connected to the Service.
• Use the Service to store or transmit malicious code, viruses, or harmful data.
• Resell, sublicense, or redistribute the Service without our prior written consent.

MergeWhy and its licensors retain all rights, title, and interest in and to the Service, including all associated intellectual property rights. The Service is protected by copyright, trademark, and other laws of applicable jurisdictions.

You retain all rights to your data, including source code, compliance evidence, and documentation generated through the Service. Nothing in these Terms transfers ownership of your data to MergeWhy.

The MergeWhy name, logo, and all related product and service names, designs, and slogans are trademarks of MergeWhy. You may not use these marks without our prior written permission.

You own all data you submit to or generate through the Service. This includes but is not limited to:

• Decision Evidence Records (DERs) and associated metadata.
• Compliance evaluations, evidence scores, and gap detection results.
• Vault-sealed evidence records and their cryptographic hashes.
• Audit bundles, reports, and OSCAL export documents.
• Policies, risk registers, and waiver documentation.

We will not access, use, or share your data except as necessary to provide the Service, comply with applicable law, or as otherwise described in our Privacy Policy.

You may export your data at any time through the dashboard or API in standard formats including JSON, PDF, ZIP, and OSCAL 1.1.2.

We use commercially reasonable efforts to maintain high availability of the Service. However, the Service may be temporarily unavailable due to scheduled maintenance, infrastructure upgrades, or circumstances beyond our control.

Scheduled maintenance windows will be communicated in advance through the Service or via email. We will make reasonable efforts to minimize disruption during maintenance periods.

We do not guarantee that the Service will be uninterrupted, error-free, or that defects will be corrected within a specific timeframe, except as specified in any applicable Service Level Agreement (SLA) included with your subscription plan.

To the maximum extent permitted by applicable law, MergeWhy and its officers, directors, employees, and agents shall not be liable for any indirect, incidental, special, consequential, or punitive damages, including but not limited to loss of profits, data, use, or goodwill, arising out of or in connection with your use of the Service.

Our total liability for any claims arising under these Terms shall not exceed the amount you paid to MergeWhy for the Service during the twelve (12) months preceding the event giving rise to the liability.

The Service provides compliance evidence and analysis as a tool to support your compliance efforts. It does not constitute legal, regulatory, or professional compliance advice. You are solely responsible for ensuring your organization's compliance with applicable laws and regulations.

Either party may terminate these Terms at any time. You may terminate by discontinuing use of the Service and closing your account through the dashboard settings.

We may suspend or terminate your access to the Service if you violate these Terms, fail to pay applicable fees, or if we are required to do so by law. We will provide reasonable notice before termination when possible.

Upon termination, you will have 30 days to export your data. During this period, you may download all compliance evidence, DERs, audit bundles, and vault records through the dashboard or API. After the 30-day export window, all data associated with your organization will be permanently deleted.

Sections relating to intellectual property, data ownership, limitation of liability, and any other provisions that by their nature should survive, will survive termination of these Terms.

If you have any questions about these Terms of Service, please contact us: